Merge pull request #79 from jzakotnik/78-security-config

security config
jzakotnik · Mar 26, 2024 · c45df2c · c45df2c
2 parents 085a10b + 0af4ccd
commit c45df2c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/.env_example b/.env_example
@@ -20,9 +20,13 @@ COVERIMAGE_FILESTORAGE_PATH=/somepath
 # Login Session Timeout for inactivity in seconds (e.g. 500)
 LOGIN_SESSION_TIMEOUT=seconds
 
+# Configure if content security policy is set on the http headers, if you don't want CSR header, use "insecure"
+SECURITY_HEADERS=secure
+
 
 # School name
 SCHOOL_NAME="Mustermann Schule"
 LOGO_LABEL="schullogo.jpg"
+USERID_LABEL=userlabeltemplate.jpg
 EXTENSION_DURATION_DAYS=22
 NUMBER_BOOKS_OVERVIEW=100
diff --git a/middleware.ts b/middleware.ts
@@ -21,12 +21,14 @@ export default withAuth(
 `;
 
     const requestHeaders = new Headers(req.headers);
-    requestHeaders.set("x-nonce", nonce);
-    requestHeaders.set(
-      "Content-Security-Policy",
-      // Replace newline characters and spaces
-      cspHeader.replace(/\s{2,}/g, " ").trim()
-    );
+    if (process.env.SECURITY_HEADERS != "insecure") {
+      requestHeaders.set("x-nonce", nonce);
+      requestHeaders.set(
+        "Content-Security-Policy",
+        // Replace newline characters and spaces
+        cspHeader.replace(/\s{2,}/g, " ").trim()
+      );
+    }
     if (req.nextUrl.pathname == "/admin") {
       ////console.log("Admin page fetched");