fix: add valid csp header

Informasjonsforvaltning · May 27, 2024 · ee1a1ba · ee1a1ba
1 parent 7b45315
commit ee1a1ba
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/apps/forms/Dockerfile b/apps/forms/Dockerfile
@@ -1,7 +1,7 @@
 FROM node:20-alpine3.18
 WORKDIR /app
 COPY yarn.lock dist/apps/forms ./
-ENV NODE_ENV=$NODE_ENV
+ENV NODE_ENV=production
 RUN corepack enable
 RUN yarn set version stable
 RUN yarn install

diff --git a/apps/forms/next.config.js b/apps/forms/next.config.js
@@ -3,6 +3,19 @@
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const { composePlugins, withNx } = require('@nx/next');
 
+const cspHeader = `
+    default-src 'self';
+    script-src 'self' 'unsafe-eval' 'unsafe-inline';
+    style-src 'self' 'unsafe-inline';
+    img-src 'self' blob: data:;
+    font-src 'self';
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    upgrade-insecure-requests;
+  `;
+
 /**
  * @type {import('@nx/next/plugins/with-nx').WithNxOptions}
  **/
@@ -24,6 +37,19 @@ const nextConfig = {
       },
     ];
   },
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: cspHeader.replace(/\n/g, ''),
+          },
+        ],
+      },
+    ];
+  },
 };
 
 const plugins = [