Security (#3452)

* security policies * k * update config
2025-04-08 20:08:36 +02:00 · 2024-12-12 15:01:40 -08:00 · 2024-12-12 15:01:40 -08:00 · 6722e88a7b
commit 6722e88a7b
parent 5b5e1eb7c7
1 changed files with 45 additions and 0 deletions
--- a/web/next.config.js
+++ b/web/next.config.js
@ -7,12 +7,57 @@ const version = env_version || package_version;
 // Always require withSentryConfig
 const { withSentryConfig } = require("@sentry/nextjs");

+const cspHeader = `
+    style-src 'self' 'unsafe-inline';
+    font-src 'self';
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    ${process.env.NEXT_PUBLIC_CLOUD_ENABLED === "true" ? "upgrade-insecure-requests;" : ""}
+`;
+
 /** @type {import('next').NextConfig} */
 const nextConfig = {
  output: "standalone",
  publicRuntimeConfig: {
    version,
  },
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "Content-Security-Policy",
+            value: cspHeader.replace(/\n/g, ""),
+          },
+          {
+            key: "Strict-Transport-Security",
+            value: "max-age=63072000; includeSubDomains; preload",
+          },
+          {
+            key: "Referrer-Policy",
+            value: "strict-origin-when-cross-origin",
+          },
+          {
+            key: "X-Frame-Options",
+            value: "DENY",
+          },
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "Permissions-Policy",
+            // Deny all permissions by default
+            value:
+              "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()",
+          },
+        ],
+      },
+    ];
+  },
 };

 // Sentry configuration for error monitoring: