Working on header and CSP.

Author: charlesgauthereau

docker/dockerfile/Dockerfile

@@ -88,6 +88,7 @@ RUN chown -R nextjs:nodejs /app/public
 
 
 COPY --from=builder /app/next.config.ts ./
+COPY --from=builder /app/portabase.config.ts ./
 COPY --from=builder /app/drizzle.config.ts ./
 COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
 COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

next.config.ts

@@ -1,4 +1,41 @@
 import type { NextConfig } from "next";
+import {PORTABASE_DEFAULT_SETTINGS} from "./portabase.config";
+
+
+function buildCSPHeader(): string {
+    const { CSP } = PORTABASE_DEFAULT_SETTINGS.SECURITY;
+
+    const directives = [
+        `default-src ${CSP.DEFAULT_SRC.join(" ")}`,
+        `script-src ${CSP.SCRIPT_SRC.join(" ")}`,
+        `style-src ${CSP.STYLE_SRC.join(" ")}`,
+        `img-src ${CSP.IMG_SRC.join(" ")}`,
+        `font-src ${CSP.FONT_SRC.join(" ")}`,
+        `object-src ${CSP.OBJECT_SRC.join(" ")}`,
+        `base-uri ${CSP.BASE_URI.join(" ")}`,
+        `form-action ${CSP.FORM_ACTION.join(" ")}`,
+        `frame-ancestors ${CSP.FRAME_ANCESTORS.join(" ")}`,
+    ];
+
+    if (CSP.BLOCK_ALL_MIXED_CONTENT) {
+        directives.push("block-all-mixed-content");
+    }
+
+    if (CSP.UPGRADE_INSECURE_REQUESTS) {
+        directives.push("upgrade-insecure-requests");
+    }
+
+    return directives.join("; ");
+}
+
+function buildPermissionsPolicy(): string {
+    return Object.entries(PORTABASE_DEFAULT_SETTINGS.SECURITY.PERMISSIONS_POLICY)
+        .map(([feature, values]) => `${feature}=${values.join(", ")}`)
+        .join(", ");
+}
+
+
+
 
 const nextConfig: NextConfig = {
     output: "standalone",
@@ -14,6 +51,36 @@ const nextConfig: NextConfig = {
     experimental: {
         nodeMiddleware: true,
     },
+    async headers() {
+        return [
+            {
+                source: "/(.*)",
+                headers: [
+                    {
+                        key: "Content-Security-Policy",
+                        value: buildCSPHeader(),
+                    },
+                    {
+                        key: "Permissions-Policy",
+                        value: buildPermissionsPolicy(),
+                    },
+                    {
+                        key: 'X-Content-Type-Options',
+                        value: 'nosniff',
+                    },
+                    {
+                        key: 'X-Frame-Options',
+                        value: 'DENY',
+                    },
+                    {
+                        key: 'Referrer-Policy',
+                        value: 'strict-origin-when-cross-origin',
+                    },
+                    // ...other security headers
+                ],
+            },
+        ];
+    },
 };
 
 export default nextConfig;

portabase.config.ts

@@ -0,0 +1,25 @@
+
+export const PORTABASE_DEFAULT_SETTINGS = {
+    SECURITY: {
+        CSP: {
+            DEFAULT_SRC: ["'self'"],
+            SCRIPT_SRC: ["'self'", "'unsafe-eval'", "'unsafe-inline'", "https://cdn.jsdelivr.net", "https://www.googletagmanager.com"],
+            STYLE_SRC: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
+            IMG_SRC: ["'self'", "blob:", "data:", "https:"],
+            FONT_SRC: ["'self'"],
+            OBJECT_SRC: ["'none'"],
+            BASE_URI: ["'self'"],
+            FORM_ACTION: ["'self'"],
+            FRAME_ANCESTORS: ["'none'"],
+            BLOCK_ALL_MIXED_CONTENT: false,
+            UPGRADE_INSECURE_REQUESTS: true,
+        },
+        PERMISSIONS_POLICY: {
+            CAMERA: ["()"],
+            MICROPHONE: ["()"],
+            GEOLOCATION: ["()"],
+            FULLSCREEN: ["(self)"],
+            // ...other features
+        },
+    },
+};