added security headers with an effective content policy (#43)
This commit is contained in:
parent
97a393604d
commit
fdf209c265
|
@ -2,6 +2,58 @@ const withPlugins = require('next-compose-plugins');
|
|||
const withFonts = require('next-fonts');
|
||||
const withSvgr = require('@newhighsco/next-plugin-svgr');
|
||||
|
||||
const ContentSecurityPolicy = `
|
||||
default-src 'self';
|
||||
script-src 'self' ${
|
||||
process.env.NODE_ENV == 'development' ? "'unsafe-eval' " : ''
|
||||
}'unsafe-inline' *.ctfassets.net *.youtube.com *.twitter.com;
|
||||
child-src 'self' *.ctfassets.net *.youtube.com *.twitter.com;
|
||||
style-src 'self' 'unsafe-inline' *.googleapis.com;
|
||||
img-src 'self' blob: data: *.ctfassets.net *.youtube.com *.twitter.com;
|
||||
media-src 'self';
|
||||
connect-src *;
|
||||
font-src 'self' blob: data: fonts.gstatic.com maxcdn.bootstrapcdn.com;
|
||||
worker-src 'self' blob:;
|
||||
`;
|
||||
|
||||
const securityHeaders = () => {
|
||||
const headers = [
|
||||
{
|
||||
key: 'X-DNS-Prefetch-Control',
|
||||
value: 'on',
|
||||
},
|
||||
{
|
||||
key: 'Strict-Transport-Security',
|
||||
value: 'max-age=63072000; includeSubDomains; preload',
|
||||
},
|
||||
{
|
||||
key: 'X-XSS-Protection',
|
||||
value: '1; mode=block',
|
||||
},
|
||||
{
|
||||
key: 'X-Frame-Options',
|
||||
value: 'SAMEORIGIN',
|
||||
},
|
||||
{
|
||||
key: 'Permissions-Policy',
|
||||
value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
|
||||
},
|
||||
{
|
||||
key: 'X-Content-Type-Options',
|
||||
value: 'nosniff',
|
||||
},
|
||||
{
|
||||
key: 'Referrer-Policy',
|
||||
value: 'strict-origin-when-cross-origin',
|
||||
},
|
||||
{
|
||||
key: 'Content-Security-Policy',
|
||||
value: ContentSecurityPolicy.replace(/\n/g, ''),
|
||||
},
|
||||
];
|
||||
return headers;
|
||||
};
|
||||
|
||||
const nextConfig = {
|
||||
env: {
|
||||
CONTENTFUL_SPACE_ID: process.env.CONTENTFUL_SPACE_ID,
|
||||
|
@ -11,6 +63,14 @@ const nextConfig = {
|
|||
CAMPAIGN_MONITOR_API_KEY: process.env.CAMPAIGN_MONITOR_API_KEY,
|
||||
CAMPAIGN_MONITOR_LIST_API_ID: process.env.CAMPAIGN_MONITOR_LIST_API_ID,
|
||||
},
|
||||
async headers() {
|
||||
return [
|
||||
{
|
||||
source: '/(.*)',
|
||||
headers: securityHeaders(),
|
||||
},
|
||||
];
|
||||
},
|
||||
images: {
|
||||
domains: ['downloads.ctfassets.net', 'images.ctfassets.net'],
|
||||
},
|
||||
|
|
Loading…
Reference in New Issue