Added content security policy.

This commit is contained in:
Mike Cao 2022-07-31 23:29:47 -07:00
parent 2b7da339e2
commit adb069babc
2 changed files with 36 additions and 9 deletions

View File

@ -33,14 +33,6 @@ function customScriptName(req) {
} }
} }
function forceSSL(req, res) {
if (process.env.FORCE_SSL && req.nextUrl.protocol === 'http:') {
res.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
}
return res;
}
export default function middleware(req) { export default function middleware(req) {
const fns = [customCollectEndpoint, customScriptName]; const fns = [customCollectEndpoint, customScriptName];
@ -51,5 +43,5 @@ export default function middleware(req) {
} }
} }
return forceSSL(req, NextResponse.next()); return NextResponse.next();
} }

View File

@ -1,6 +1,37 @@
require('dotenv').config(); require('dotenv').config();
const pkg = require('./package.json'); const pkg = require('./package.json');
const contentSecurityPolicy = `
default-src 'self';
img-src *;
script-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
connect-src 'self' api.umami.is;
frame-ancestors 'self';
`;
const headers = [
{
key: 'X-DNS-Prefetch-Control',
value: 'on',
},
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN',
},
{
key: 'Content-Security-Policy',
value: contentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
},
];
if (process.env.FORCE_SSL) {
headers.push({
key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload',
});
}
module.exports = { module.exports = {
env: { env: {
currentVersion: pkg.version, currentVersion: pkg.version,
@ -24,6 +55,10 @@ module.exports = {
}, },
async headers() { async headers() {
return [ return [
{
source: '/:path*',
headers,
},
{ {
source: `/(.*\\.js)`, source: `/(.*\\.js)`,
headers: [ headers: [