From 6722e88a7b594c46e40577addcf3c98962f23165 Mon Sep 17 00:00:00 2001
From: pablonyx <pablo@danswer.ai>
Date: Thu, 12 Dec 2024 15:01:40 -0800
Subject: [PATCH] Security (#3452)

* security policies

* k

* update config
---
 web/next.config.js | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/web/next.config.js b/web/next.config.js
index 7e001f764..a44bd7924 100644
--- a/web/next.config.js
+++ b/web/next.config.js
@@ -7,12 +7,57 @@ const version = env_version || package_version;
 // Always require withSentryConfig
 const { withSentryConfig } = require("@sentry/nextjs");
 
+const cspHeader = `
+    style-src 'self' 'unsafe-inline';
+    font-src 'self';
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    ${process.env.NEXT_PUBLIC_CLOUD_ENABLED === "true" ? "upgrade-insecure-requests;" : ""}
+`;
+
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   output: "standalone",
   publicRuntimeConfig: {
     version,
   },
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "Content-Security-Policy",
+            value: cspHeader.replace(/\n/g, ""),
+          },
+          {
+            key: "Strict-Transport-Security",
+            value: "max-age=63072000; includeSubDomains; preload",
+          },
+          {
+            key: "Referrer-Policy",
+            value: "strict-origin-when-cross-origin",
+          },
+          {
+            key: "X-Frame-Options",
+            value: "DENY",
+          },
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "Permissions-Policy",
+            // Deny all permissions by default
+            value:
+              "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()",
+          },
+        ],
+      },
+    ];
+  },
 };
 
 // Sentry configuration for error monitoring: