quivr/frontend/next.config.js

137 lines
3.6 KiB
JavaScript
Raw Normal View History

2023-09-28 19:24:31 +03:00
/* eslint-disable max-lines */
2023-07-06 20:01:38 +03:00
const nextConfig = {
images: {
domains: [
"www.quivr.app",
"quivr-cms.s3.eu-west-3.amazonaws.com",
"www.gravatar.com",
"media.licdn.com",
],
},
2023-07-06 20:01:38 +03:00
// eslint-disable-next-line prefer-arrow/prefer-arrow-functions
async headers() {
feat: enable CSP in all environments (local/preview/prod) (#1334) # Description Enable CSP in all environments (local/preview/prod). Relies on NEXT_PUBLIC_ENV env variable, which should be `'local'|'preview'|'prod'` # Comparison of old and new CSP values (tested locally) ## Before ### CSP (for prod only) ``` default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so https://www.quivr.app/; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' https://www.quivr.app/; ``` ## After ### Prod CSP (iso with before) ``` default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so https://www.quivr.app/; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' https://www.quivr.app/; ``` ### Preview CSP ``` default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so https://preview.quivr.app/; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://preview.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' https://preview.quivr.app/; ``` ### Local CSP ``` default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so http://localhost:3000 http://localhost:3001; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ http://localhost:3000 http://localhost:3001 https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' http://localhost:3000 http://localhost:3001; ``` # 🧪 External checks Syntax checked with https://csp-evaluator.withgoogle.com/ (for the 3 environments). --------- Co-authored-by: gozineb <zinebe@theodo.fr>
2023-10-05 18:37:25 +03:00
return [
{
source: "/(.*)",
headers: securityHeaders,
},
];
2023-07-06 20:01:38 +03:00
},
};
const ContentSecurityPolicy = {
"default-src": [
"'self'",
"https://fonts.googleapis.com",
process.env.NEXT_PUBLIC_SUPABASE_URL,
"https://api.june.so",
process.env.NEXT_PUBLIC_FRONTEND_URL,
],
"connect-src": [
"'self'",
process.env.NEXT_PUBLIC_SUPABASE_URL,
process.env.NEXT_PUBLIC_BACKEND_URL,
process.env.NEXT_PUBLIC_CMS_URL,
"https://api.june.so",
"https://api.openai.com",
"https://cdn.growthbook.io",
"https://vitals.vercel-insights.com/v1/vitals",
],
2023-10-23 20:46:58 +03:00
"img-src": ["'self'", "https://www.gravatar.com","https://quivr-cms.s3.eu-west-3.amazonaws.com", "data:"],
"media-src": [
"'self'",
"https://user-images.githubusercontent.com",
process.env.NEXT_PUBLIC_FRONTEND_URL,
"https://quivr-cms.s3.eu-west-3.amazonaws.com",
],
"script-src": [
"'unsafe-inline'",
"'unsafe-eval'",
"https://va.vercel-scripts.com/",
process.env.NEXT_PUBLIC_FRONTEND_URL,
"https://www.google-analytics.com/",
],
"frame-ancestors": ["'none'"],
"style-src": ["'unsafe-inline'", process.env.NEXT_PUBLIC_FRONTEND_URL],
};
feat: enable CSP in all environments (local/preview/prod) (#1334) # Description Enable CSP in all environments (local/preview/prod). Relies on NEXT_PUBLIC_ENV env variable, which should be `'local'|'preview'|'prod'` # Comparison of old and new CSP values (tested locally) ## Before ### CSP (for prod only) ``` default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so https://www.quivr.app/; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' https://www.quivr.app/; ``` ## After ### Prod CSP (iso with before) ``` default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so https://www.quivr.app/; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' https://www.quivr.app/; ``` ### Preview CSP ``` default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so https://preview.quivr.app/; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://preview.quivr.app/ https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' https://preview.quivr.app/; ``` ### Local CSP ``` default-src 'self' https://fonts.googleapis.com https://xxx.supabase.co https://api.june.so http://localhost:3000 http://localhost:3001; connect-src 'self' https://xxx.supabase.co http://localhost:5050 https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; img-src 'self' https://www.gravatar.com data:; media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ http://localhost:3000 http://localhost:3001 https://www.google-analytics.com/; frame-ancestors 'none'; style-src 'unsafe-inline' http://localhost:3000 http://localhost:3001; ``` # 🧪 External checks Syntax checked with https://csp-evaluator.withgoogle.com/ (for the 3 environments). --------- Co-authored-by: gozineb <zinebe@theodo.fr>
2023-10-05 18:37:25 +03:00
// Build CSP string
const cspString = Object.entries(ContentSecurityPolicy)
.map(([key, values]) => `${key} ${values.join(" ")};`)
.join(" ");
2023-07-06 20:01:38 +03:00
// Define headers
const securityHeaders = [
{
key: "Content-Security-Policy",
value: cspString,
2023-07-06 20:01:38 +03:00
},
{
key: "Referrer-Policy",
value: "origin-when-cross-origin",
},
{
key: "X-Frame-Options",
value: "SAMEORIGIN",
},
{
key: "X-Content-Type-Options",
value: "nosniff",
},
{
key: "X-DNS-Prefetch-Control",
value: "on",
},
{
key: "Permissions-Policy",
value: "camera=(), microphone=(), geolocation=(), interest-cohort=()",
},
{
key: "Strict-Transport-Security",
value: "max-age=31536000",
},
];
//AJouter le content security policy uniquement en pre-vew et en prod
2023-05-18 02:22:13 +03:00
// Check if the SENTRY_DSN environment variable is defined
if (process.env.SENTRY_DSN) {
// SENTRY_DSN exists, include Sentry configuration
const { withSentryConfig } = require("@sentry/nextjs");
module.exports = withSentryConfig(
2023-07-06 20:01:38 +03:00
nextConfig,
{
// For all available options, see:
// https://github.com/getsentry/sentry-webpack-plugin#options
2023-07-06 20:01:38 +03:00
// Suppresses source map uploading logs during build
silent: true,
2023-07-06 20:01:38 +03:00
org: "quivr-0f",
project: "javascript-nextjs",
},
{
// For all available options, see:
// https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/
2023-07-06 20:01:38 +03:00
// Upload a larger set of source maps for prettier stack traces (increases build time)
widenClientFileUpload: true,
2023-07-06 20:01:38 +03:00
// Transpiles SDK to be compatible with IE11 (increases bundle size)
transpileClientSDK: true,
2023-07-06 20:01:38 +03:00
// Routes browser requests to Sentry through a Next.js rewrite to circumvent ad-blockers (increases server load)
tunnelRoute: "/monitoring",
2023-07-06 20:01:38 +03:00
// Hides source maps from generated client bundles
hideSourceMaps: true,
2023-07-06 20:01:38 +03:00
// Automatically tree-shake Sentry logger statements to reduce bundle size
disableLogger: true,
}
);
} else {
// SENTRY_DSN does not exist, export nextConfig without Sentry
module.exports = nextConfig;
2023-07-06 20:01:38 +03:00
}