add cors security headers (#533)

This commit is contained in:
Zineb El Bachiri 2023-07-06 19:01:38 +02:00 committed by GitHub
parent 4261ddae51
commit 9e942ba959
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 78 additions and 25 deletions

View File

@ -3,6 +3,7 @@ from fastapi.middleware.cors import CORSMiddleware
origins = [ origins = [
"http://localhost", "http://localhost",
"http://localhost:3000", "http://localhost:3000",
"http://localhost:3001",
"https://quivr.app", "https://quivr.app",
"https://www.quivr.app", "https://www.quivr.app",
"http://quivr.app", "http://quivr.app",

View File

@ -1,4 +1,56 @@
const nextConfig = {}; const nextConfig = {
// eslint-disable-next-line prefer-arrow/prefer-arrow-functions
async headers() {
return [
{
source: "/(.*)",
headers: securityHeaders,
},
];
},
};
//add check of if localhsot of not
const ContentSecurityPolicy = `
default-src 'self' https://fonts.googleapis.com ${process.env.NEXT_PUBLIC_SUPABASE_URL} https://api.june.so http://localhost:3001/;
connect-src 'self' ${process.env.NEXT_PUBLIC_SUPABASE_URL} ${process.env.NEXT_PUBLIC_BACKEND_URL} https://api.june.so;
img-src 'self' data:;
script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ http://localhost:3001/;
frame-ancestors 'none';
style-src 'unsafe-inline' http://localhost:3001/;
`;
// Define headers
const securityHeaders = [
{
key: "Content-Security-Policy",
value: ContentSecurityPolicy.replace(/\n/g, ""),
},
{
key: "Referrer-Policy",
value: "origin-when-cross-origin",
},
{
key: "X-Frame-Options",
value: "SAMEORIGIN",
},
{
key: "X-Content-Type-Options",
value: "nosniff",
},
{
key: "X-DNS-Prefetch-Control",
value: "on",
},
{
key: "Permissions-Policy",
value: "camera=(), microphone=(), geolocation=(), interest-cohort=()",
},
{
key: "Strict-Transport-Security",
value: "max-age=31536000",
},
];
//AJouter le content security policy uniquement en pre-vew et en prod
// Check if the SENTRY_DSN environment variable is defined // Check if the SENTRY_DSN environment variable is defined
if (process.env.SENTRY_DSN) { if (process.env.SENTRY_DSN) {
@ -6,38 +58,38 @@ if (process.env.SENTRY_DSN) {
const { withSentryConfig } = require("@sentry/nextjs"); const { withSentryConfig } = require("@sentry/nextjs");
module.exports = withSentryConfig( module.exports = withSentryConfig(
nextConfig, nextConfig,
{ {
// For all available options, see: // For all available options, see:
// https://github.com/getsentry/sentry-webpack-plugin#options // https://github.com/getsentry/sentry-webpack-plugin#options
// Suppresses source map uploading logs during build // Suppresses source map uploading logs during build
silent: true, silent: true,
org: "quivr-0f", org: "quivr-0f",
project: "javascript-nextjs", project: "javascript-nextjs",
}, },
{ {
// For all available options, see: // For all available options, see:
// https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/ // https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/
// Upload a larger set of source maps for prettier stack traces (increases build time) // Upload a larger set of source maps for prettier stack traces (increases build time)
widenClientFileUpload: true, widenClientFileUpload: true,
// Transpiles SDK to be compatible with IE11 (increases bundle size) // Transpiles SDK to be compatible with IE11 (increases bundle size)
transpileClientSDK: true, transpileClientSDK: true,
// Routes browser requests to Sentry through a Next.js rewrite to circumvent ad-blockers (increases server load) // Routes browser requests to Sentry through a Next.js rewrite to circumvent ad-blockers (increases server load)
tunnelRoute: "/monitoring", tunnelRoute: "/monitoring",
// Hides source maps from generated client bundles // Hides source maps from generated client bundles
hideSourceMaps: true, hideSourceMaps: true,
// Automatically tree-shake Sentry logger statements to reduce bundle size // Automatically tree-shake Sentry logger statements to reduce bundle size
disableLogger: true, disableLogger: true,
} }
); );
} else { } else {
// SENTRY_DSN does not exist, export nextConfig without Sentry // SENTRY_DSN does not exist, export nextConfig without Sentry
module.exports = nextConfig; module.exports = nextConfig;
} }