code-du-travail-numerique/packages/code-du-travail-frontend/proxy.ts at dev · SocialGouv/code-du-travail-numerique · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
import { NextRequest, NextResponse } from "next/server";
import { BUCKET_URL } from "./src/config";

export function proxy(request: NextRequest) {
  // Handle CORS for API routes
  if (request.nextUrl.pathname.startsWith("/api")) {
    const response = NextResponse.next();

    // Restrict CORS to specific origins (more secure than '*')
    const allowedOrigins = [
      "https://code.travail.gouv.fr",
      "https://www.code.travail.gouv.fr",
      process.env.NODE_ENV === "development" ? "http://localhost:3000" : null,
      process.env.NODE_ENV === "development" ? "http://127.0.0.1:3000" : null,
    ].filter(Boolean);

    const origin = request.headers.get("origin");

    // Check for review branches pattern: https://code-du-travail-numerique-*.ovh.fabrique.social.gouv.fr
    const isReviewBranch =
      origin &&
      /^https:\/\/code-du-travail-numerique-.+\.ovh\.fabrique\.social\.gouv\.fr$/.test(
        origin
      );

    const isAllowedOrigin =
      !origin || allowedOrigins.includes(origin) || isReviewBranch;

    if (isAllowedOrigin) {
      response.headers.set("Access-Control-Allow-Origin", origin || "*");
    }

    // Restrict allowed methods to only what's needed
    response.headers.set("Access-Control-Allow-Methods", "GET, POST, OPTIONS");

    // Be specific about allowed headers
    response.headers.set(
      "Access-Control-Allow-Headers",
      "Content-Type, Authorization, X-Requested-With"
    );

    // Add security headers for API routes
    response.headers.set("X-Content-Type-Options", "nosniff");
    // X-Frame-Options supprimé pour autoriser les iframes externes
    response.headers.set("X-XSS-Protection", "1; mode=block");
    response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");

    // Handle preflight requests
    if (request.method === "OPTIONS") {
      return new NextResponse(null, { status: 200, headers: response.headers });
    }

    // Block non-allowed origins for non-preflight requests
    if (!isAllowedOrigin && origin) {
      return new NextResponse("CORS policy violation", { status: 403 });
    }

    return response;
  }

  const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
  const ContentSecurityPolicy = `
    default-src 'self';
    img-src 'self' https://travail-emploi.gouv.fr https://www.service-public.gouv.fr ${BUCKET_URL} https://matomo.fabrique.social.gouv.fr https://www.googletagmanager.com https://ad.doubleclick.net data:;
    script-src 'self' 'nonce-${nonce}' https://mon-entreprise.urssaf.fr https://matomo.fabrique.social.gouv.fr https://tally.so https://www.googletagmanager.com ${
      process.env.NEXT_PUBLIC_APP_ENV !== "production" ? "'unsafe-eval'" : ""
    };
    style-src 'self' 'unsafe-inline';
    font-src 'self' data:;
    object-src 'none';
    base-uri 'self';
    form-action 'self';
    frame-src 'self' https://www.urssaf.fr https://code.travail.gouv.fr https://www.aides-entreprises.fr https://mon-entreprise.urssaf.fr https://matomo.fabrique.social.gouv.fr https://tally.so https://www.googletagmanager.com *.dailymotion.com https://*.doubleclick.net;
    connect-src 'self' https://geo.api.gouv.fr https://sentry2.fabrique.social.gouv.fr https://matomo.fabrique.social.gouv.fr https://tally.so https://www.googletagmanager.com https://www.google.com;
    worker-src 'self' blob:;
    upgrade-insecure-requests;
  `;
  // Replace newline characters and spaces
  const contentSecurityPolicyHeaderValue = ContentSecurityPolicy.replace(
    /\s{2,}/g,
    " "
  ).trim();

  const requestHeaders = new Headers(request.headers);
  requestHeaders.set("x-url", request.nextUrl.pathname);
  requestHeaders.set("x-nonce", nonce);
  requestHeaders.set(
    "Content-Security-Policy",
    contentSecurityPolicyHeaderValue
  );

  const response = NextResponse.next({
    request: {
      headers: requestHeaders,
    },
  });

  // Set comprehensive security headers
  response.headers.set(
    "Content-Security-Policy",
    contentSecurityPolicyHeaderValue
  );
  response.headers.set("X-Content-Type-Options", "nosniff");
  // X-Frame-Options supprimé pour autoriser les iframes externes
  response.headers.set("X-XSS-Protection", "1; mode=block");
  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
  response.headers.set(
    "Permissions-Policy",
    "geolocation=(), microphone=(), camera=()"
  );
  response.headers.set(
    "Strict-Transport-Security",
    "max-age=31536000; includeSubDomains; preload"
  );

  return response;
}

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     */
    {
      source: "/((?!_next/static|_next/image|favicon.ico).*)",
      missing: [
        { type: "header", key: "next-router-prefetch" },
        { type: "header", key: "purpose", value: "prefetch" },
      ],
    },
  ],
};