Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(sec): add security headers #311

Merged
merged 1 commit into from
Sep 7, 2024
Merged

feat(sec): add security headers #311

merged 1 commit into from
Sep 7, 2024

Conversation

42tte
Copy link
Contributor

@42tte 42tte commented Oct 21, 2022

@vercel
Copy link

vercel bot commented Oct 21, 2022

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
variant-no ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 7, 2024 8:05am
variant-se-2 ✅ Ready (Inspect) Visit Preview Sep 7, 2024 8:05am

default-src 'self';
connect-src 'self' https://variant.innocraft.cloud/;
script-src 'self' 'sha256-j6xN8x073Dhm+Ee4HKwIIRXsHIqI5aIRHC0pgnhVcJY=' https://variant.innocraft.cloud/ ${
process.env.NODE_ENV !== 'production' ? "'unsafe-eval'" : ''
Copy link
Contributor Author

@42tte 42tte Oct 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'unsafe-eval' needed for hot reload in dev build

const ContentSecurityPolicy = `
default-src 'self';
connect-src 'self' https://variant.innocraft.cloud/;
script-src 'self' 'sha256-j6xN8x073Dhm+Ee4HKwIIRXsHIqI5aIRHC0pgnhVcJY=' https://variant.innocraft.cloud/ ${
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should have used 'strict-dynamic' but there is no good way of using generated nonces in Nextjs vercel/next.js#21587

@mikaelbr
Copy link
Member

mikaelbr commented Sep 4, 2024

Haven't gone through all potential external references here, but at a glance it looks to cover the things I can think of at least. Now there will be a new implementation of variant webpage, so this would have to be ported over. In that port I also think we could transition to using middleware which I belive now can support nonce.

@42tte 42tte force-pushed the 42tte/feat-security-headers branch from 40489d4 to 827ffa5 Compare September 7, 2024 07:57
@42tte 42tte merged commit 701addb into main Sep 7, 2024
7 checks passed
@42tte 42tte deleted the 42tte/feat-security-headers branch September 7, 2024 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Development

Successfully merging this pull request may close these issues.

2 participants