feat(web): add security headers

tryabby · Jul 25, 2024 · 40055b1 · 40055b1
1 parent da5695d
commit 40055b1
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/apps/web/next.config.mjs b/apps/web/next.config.mjs
@@ -30,6 +30,19 @@ const withBundleAnalyzer = bundleAnalzyer({
  */
 !process.env.SKIP_ENV_VALIDATION && (await import("./src/env/server.mjs"));
 
+const cspHeader = `
+    default-src 'self';
+    script-src 'self' 'unsafe-eval' 'unsafe-inline';
+    style-src 'self' 'unsafe-inline';
+    img-src 'self' blob: data:;
+    font-src 'self';
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    upgrade-insecure-requests;
+`;
+
 /** @type {import("next").NextConfig} */
 const config = {
   reactStrictMode: true,
@@ -44,6 +57,19 @@ const config = {
   experimental: {
     instrumentationHook: true,
   },
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "Content-Security-Policy",
+            value: cspHeader.replace(/\n/g, ""),
+          },
+        ],
+      },
+    ];
+  },
 };
 
 export default withPlausibleProxy()(