From 9e942ba9599ee789d43da9931bd939920d7d2ac4 Mon Sep 17 00:00:00 2001 From: Zineb El Bachiri <100568984+gozineb@users.noreply.github.com> Date: Thu, 6 Jul 2023 19:01:38 +0200 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20add=20cors=20security=20headers=20(?= =?UTF-8?q?#533)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- backend/middlewares/cors.py | 1 + frontend/next.config.js | 102 +++++++++++++++++++++++++++--------- 2 files changed, 78 insertions(+), 25 deletions(-) diff --git a/backend/middlewares/cors.py b/backend/middlewares/cors.py index b5fb52372..494f15e16 100644 --- a/backend/middlewares/cors.py +++ b/backend/middlewares/cors.py @@ -3,6 +3,7 @@ from fastapi.middleware.cors import CORSMiddleware origins = [ "http://localhost", "http://localhost:3000", + "http://localhost:3001", "https://quivr.app", "https://www.quivr.app", "http://quivr.app", diff --git a/frontend/next.config.js b/frontend/next.config.js index 7d8c003d7..70f6fc727 100644 --- a/frontend/next.config.js +++ b/frontend/next.config.js @@ -1,4 +1,56 @@ -const nextConfig = {}; +const nextConfig = { + // eslint-disable-next-line prefer-arrow/prefer-arrow-functions + async headers() { + return [ + { + source: "/(.*)", + headers: securityHeaders, + }, + ]; + }, +}; +//add check of if localhsot of not +const ContentSecurityPolicy = ` + default-src 'self' https://fonts.googleapis.com ${process.env.NEXT_PUBLIC_SUPABASE_URL} https://api.june.so http://localhost:3001/; + connect-src 'self' ${process.env.NEXT_PUBLIC_SUPABASE_URL} ${process.env.NEXT_PUBLIC_BACKEND_URL} https://api.june.so; + img-src 'self' data:; + script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ http://localhost:3001/; + frame-ancestors 'none'; + style-src 'unsafe-inline' http://localhost:3001/; +`; + +// Define headers +const securityHeaders = [ + { + key: "Content-Security-Policy", + value: ContentSecurityPolicy.replace(/\n/g, ""), + }, + { + key: "Referrer-Policy", + value: "origin-when-cross-origin", + }, + { + key: "X-Frame-Options", + value: "SAMEORIGIN", + }, + { + key: "X-Content-Type-Options", + value: "nosniff", + }, + { + key: "X-DNS-Prefetch-Control", + value: "on", + }, + { + key: "Permissions-Policy", + value: "camera=(), microphone=(), geolocation=(), interest-cohort=()", + }, + { + key: "Strict-Transport-Security", + value: "max-age=31536000", + }, +]; +//AJouter le content security policy uniquement en pre-vew et en prod // Check if the SENTRY_DSN environment variable is defined if (process.env.SENTRY_DSN) { @@ -6,38 +58,38 @@ if (process.env.SENTRY_DSN) { const { withSentryConfig } = require("@sentry/nextjs"); module.exports = withSentryConfig( - nextConfig, - { - // For all available options, see: - // https://github.com/getsentry/sentry-webpack-plugin#options + nextConfig, + { + // For all available options, see: + // https://github.com/getsentry/sentry-webpack-plugin#options - // Suppresses source map uploading logs during build - silent: true, + // Suppresses source map uploading logs during build + silent: true, - org: "quivr-0f", - project: "javascript-nextjs", - }, - { - // For all available options, see: - // https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/ + org: "quivr-0f", + project: "javascript-nextjs", + }, + { + // For all available options, see: + // https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/ - // Upload a larger set of source maps for prettier stack traces (increases build time) - widenClientFileUpload: true, + // Upload a larger set of source maps for prettier stack traces (increases build time) + widenClientFileUpload: true, - // Transpiles SDK to be compatible with IE11 (increases bundle size) - transpileClientSDK: true, + // Transpiles SDK to be compatible with IE11 (increases bundle size) + transpileClientSDK: true, - // Routes browser requests to Sentry through a Next.js rewrite to circumvent ad-blockers (increases server load) - tunnelRoute: "/monitoring", + // Routes browser requests to Sentry through a Next.js rewrite to circumvent ad-blockers (increases server load) + tunnelRoute: "/monitoring", - // Hides source maps from generated client bundles - hideSourceMaps: true, + // Hides source maps from generated client bundles + hideSourceMaps: true, - // Automatically tree-shake Sentry logger statements to reduce bundle size - disableLogger: true, - } + // Automatically tree-shake Sentry logger statements to reduce bundle size + disableLogger: true, + } ); } else { // SENTRY_DSN does not exist, export nextConfig without Sentry module.exports = nextConfig; -} \ No newline at end of file +}