From bc36ea651afbb3499f1d3e1f05ff5e17765eff44 Mon Sep 17 00:00:00 2001 From: lavgup Date: Sat, 4 Sep 2021 17:36:04 +1000 Subject: [PATCH 1/4] Add security headers --- next.config.js | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/next.config.js b/next.config.js index cb3c5604..648be98b 100644 --- a/next.config.js +++ b/next.config.js @@ -10,4 +10,62 @@ module.exports = withMDX({ reactStrictMode: true, basePath: "/docs", pageExtensions: ["js", "jsx", "ts", "tsx", "md", "mdx"], + headers() { + return [ + { + source: '/(.*)', + headers: securityHeaders + } + ]; + }, }); + +const ContentSecurityPolicy = ` + default-src 'self'; + script-src 'self' 'unsafe-eval' 'unsafe-inline' *.youtube.com *.twitter.com; + child-src *.youtube.com *.google.com *.twitter.com; + style-src 'self' 'unsafe-inline' *.googleapis.com; + img-src * blob: data:; + media-src 'none'; + connect-src *; + font-src 'self'; +`; + +const securityHeaders = [ + // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + { + key: 'Content-Security-Policy', + value: ContentSecurityPolicy.replace(/\n/g, '') + }, + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + { + key: 'Referrer-Policy', + value: 'origin-when-cross-origin' + }, + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + { + key: 'X-Frame-Options', + value: 'DENY' + }, + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + { + key: 'X-Content-Type-Options', + value: 'nosniff' + }, + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control + { + key: 'X-DNS-Prefetch-Control', + value: 'on' + }, + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security + { + key: 'Strict-Transport-Security', + value: 'max-age=31536000; preload' + }, + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy + // Opt-out of Google FLoC: https://amifloced.org/ + { + key: 'Permissions-Policy', + value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()' + }, +]; From 54683832c984d72a52391e853fd0b19f5022e7d0 Mon Sep 17 00:00:00 2001 From: lavgup Date: Sat, 4 Sep 2021 17:38:25 +1000 Subject: [PATCH 2/4] Use String#replaceAll instead --- next.config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/next.config.js b/next.config.js index 648be98b..f6e49cf4 100644 --- a/next.config.js +++ b/next.config.js @@ -35,7 +35,7 @@ const securityHeaders = [ // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP { key: 'Content-Security-Policy', - value: ContentSecurityPolicy.replace(/\n/g, '') + value: ContentSecurityPolicy.replaceAll(/\n/, '') }, // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy { From a5dbd317990a65ce96689f5f287debcb7630b418 Mon Sep 17 00:00:00 2001 From: lavgup Date: Sat, 4 Sep 2021 17:40:56 +1000 Subject: [PATCH 3/4] Guess you still need the global flag, will keep method name for readability --- next.config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/next.config.js b/next.config.js index f6e49cf4..560f936a 100644 --- a/next.config.js +++ b/next.config.js @@ -35,7 +35,7 @@ const securityHeaders = [ // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP { key: 'Content-Security-Policy', - value: ContentSecurityPolicy.replaceAll(/\n/, '') + value: ContentSecurityPolicy.replaceAll(/\n/g, '') }, // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy { From 44ac1c8323d4fdece350b3bfb96b5d0a2f506228 Mon Sep 17 00:00:00 2001 From: lavgup Date: Sat, 4 Sep 2021 20:30:09 +1000 Subject: [PATCH 4/4] Add font-src --- next.config.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/next.config.js b/next.config.js index 560f936a..6f494df9 100644 --- a/next.config.js +++ b/next.config.js @@ -24,11 +24,11 @@ const ContentSecurityPolicy = ` default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.youtube.com *.twitter.com; child-src *.youtube.com *.google.com *.twitter.com; - style-src 'self' 'unsafe-inline' *.googleapis.com; + style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; + font-src 'self' https://fonts.gstatic.com; img-src * blob: data:; media-src 'none'; connect-src *; - font-src 'self'; `; const securityHeaders = [