dzeio/libs
1
0
Fork 0
mirror of https://github.com/dzeiocom/libs.git synced 2025-06-07 00:29:56 +00:00
Code

fix(config): Better CSP security

Browse Source 
Signed-off-by: Avior <f.bouillon@aptatio.com>
This commit is contained in:
Florian Bouillon 2022-12-12 12:05:46 +01:00
parent 2528f5e1af
commit 9d7af6076a
Signed by: Florian Bouillon
GPG Key ID: E05B3A94178D3A7C
1 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
packages/config/next.config.ts
View File

@ -1,6 +1,6 @@
import { NextConfig, defaultConfig } from 'next/dist/server/config-shared'
import { PHASE_DEVELOPMENT_SERVER } from 'next/constants'
import { objectLoop } from '@dzeio/object-util' import { objectLoop } from '@dzeio/object-util'
import { PHASE_DEVELOPMENT_SERVER } from 'next/constants'
import { defaultConfig, NextConfig } from 'next/dist/server/config-shared'
// @ts-expect-error next-pre-css has no typing available // @ts-expect-error next-pre-css has no typing available
import preCSS from 'next-pre-css' import preCSS from 'next-pre-css'
@ -35,6 +35,12 @@ export const config = (options?: Options): typeof defaultConfig & NextConfig =>
async headers() { async headers() {
const hosts = options?.hosts ?? {} const hosts = options?.hosts ?? {}
if (process.env.NODE_ENV !== 'production') {
if (!hosts.script) {
hosts.script = []
}
hosts.script.push('unsafe-eval')
}
let hostlist: Array<string> = [] let hostlist: Array<string> = []
@ -54,11 +60,11 @@ export const config = (options?: Options): typeof defaultConfig & NextConfig =>
"form-action 'self'; " + "form-action 'self'; " +
"manifest-src 'self'; " + "manifest-src 'self'; " +
"prefetch-src 'self'; " + "prefetch-src 'self'; " +
`script-src 'self' 'unsafe-inline' 'unsafe-eval' ${hosts?.script?.join(' ')}; ` + `script-src 'self' 'unsafe-inline' ${hosts?.script?.map((it) => `'${it}'`)?.join(' ') ?? ''}; ` +
`style-src 'self' 'unsafe-inline' ${hosts?.style?.join(' ')}; ` + `style-src 'self' 'unsafe-inline' ${hosts?.style?.map((it) => `'${it}'`)?.join(' ') ?? ''}; ` +
`img-src data: 'self' ${hosts?.img?.join(' ')}; ` + `img-src data: 'self' ${hosts?.img?.map((it) => `'${it}'`)?.join(' ') ?? ''}; ` +
`font-src 'self' ${hosts?.font?.join(' ')}; ` + `font-src 'self' ${hosts?.font?.map((it) => `'${it}'`)?.join(' ') ?? ''}; ` +
`connect-src 'self' ${hostlist.join(' ')}; ` + `connect-src 'self' ${hostlist.filter((it) => !it.startsWith('unsafe')).map((it) => `'${it}'`).join(' ')}; ` +
"base-uri 'self';" "base-uri 'self';"
} }
const XXssProtection = { const XXssProtection = {
@ -75,7 +81,7 @@ export const config = (options?: Options): typeof defaultConfig & NextConfig =>
value: 'nosniff' value: 'nosniff'
}, { }, {
key: 'Referrer-Policy', key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin' value: 'no-referer'
}, { }, {
key: 'Permissions-Policy', key: 'Permissions-Policy',
value: 'geolocation=(), microphone=(), interest-cohort=()' value: 'geolocation=(), microphone=(), interest-cohort=()'