Added content security policy.

2026-02-12 00:27:11 +01:00 · 2022-07-31 23:29:47 -07:00 · 2022-07-31 23:29:47 -07:00 · adb069babc
commit adb069babc
parent 2b7da339e2
2 changed files with 36 additions and 9 deletions
--- a/next.config.js
+++ b/next.config.js
@ -1,6 +1,37 @@
 require('dotenv').config();
 const pkg = require('./package.json');

+const contentSecurityPolicy = `
+  default-src 'self';
+  img-src *;
+  script-src 'self' 'unsafe-eval';
+  style-src 'self' 'unsafe-inline';
+  connect-src 'self' api.umami.is;
+  frame-ancestors 'self';
+`;
+
+const headers = [
+  {
+    key: 'X-DNS-Prefetch-Control',
+    value: 'on',
+  },
+  {
+    key: 'X-Frame-Options',
+    value: 'SAMEORIGIN',
+  },
+  {
+    key: 'Content-Security-Policy',
+    value: contentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
+  },
+];
+
+if (process.env.FORCE_SSL) {
+  headers.push({
+    key: 'Strict-Transport-Security',
+    value: 'max-age=63072000; includeSubDomains; preload',
+  });
+}
+
 module.exports = {
  env: {
    currentVersion: pkg.version,
@ -24,6 +55,10 @@ module.exports = {
  },
  async headers() {
    return [
+      {
+        source: '/:path*',
+        headers,
+      },
      {
        source: `/(.*\\.js)`,
        headers: [