diff --git a/middleware.js b/middleware.js index 46c440b5..88727d45 100644 --- a/middleware.js +++ b/middleware.js @@ -19,47 +19,46 @@ export function middleware (request) { resp = referrerMiddleware(request) } - // const nonce = Buffer.from(crypto.randomUUID()).toString('base64') - // // we want to load media from other localhost ports during development - // const devSrc = process.env.NODE_ENV === 'development' ? 'localhost:* ' : '' + const nonce = Buffer.from(crypto.randomUUID()).toString('base64') + // we want to load media from other localhost ports during development + const devSrc = process.env.NODE_ENV === 'development' ? ' localhost:*' : '' + // unsafe-eval is required during development due to react-refresh.js + // see https://github.com/vercel/next.js/issues/14221 + const devScriptSrc = process.env.NODE_ENV === 'development' ? " 'unsafe-eval'" : '' - // const cspHeader = [ - // // if something is not explicitly allowed, we don't allow it. - // "default-src 'none'", - // "font-src 'self' a.stacker.news", - // // we want to load images from everywhere but we can limit to HTTPS at least - // `img-src 'self' ${devSrc}a.stacker.news m.stacker.news https: data: blob:`, - // `media-src 'self' ${devSrc}a.stacker.news m.stacker.news`, - // // Using nonces and strict-dynamic deploys a strict CSP. - // // see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy. - // // Old browsers will ignore nonce and strict-dynamic and fallback to host-based matching and unsafe-inline - // process.env.NODE_ENV === 'production' - // ? `script-src 'self' 'unsafe-inline' 'nonce-${nonce}' 'strict-dynamic' https:` - // // unsafe-eval is required during development due to react-refresh.js - // // see https://github.com/vercel/next.js/issues/14221 - // : `script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-${nonce}' 'strict-dynamic' https:`, - // // unsafe-inline for styles is not ideal but okay if script-src is using nonces - // "style-src 'self' a.stacker.news 'unsafe-inline'", - // "manifest-src 'self'", - // 'frame-src www.youtube.com platform.twitter.com', - // `connect-src 'self' ${devSrc}https: wss:`, - // // disable dangerous plugins like Flash - // "object-src 'none'", - // // blocks injection of tags - // "base-uri 'none'", - // // tell user agents to replace HTTP with HTTPS - // 'upgrade-insecure-requests', - // // prevents any domain from framing the content (defense against clickjacking attacks) - // "frame-ancestors 'none'" - // ].join('; ') + const cspHeader = [ + // if something is not explicitly allowed, we don't allow it. + "default-src 'none'", + "font-src 'self' a.stacker.news", + // we want to load images from everywhere but we can limit to HTTPS at least + "img-src 'self' a.stacker.news m.stacker.news https: data: blob:" + devSrc, + "media-src 'self' a.stacker.news m.stacker.news" + devSrc, + // Using nonces and strict-dynamic deploys a strict CSP. + // see https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-policy. + // Old browsers will ignore nonce and strict-dynamic and fallback to host-based matching and unsafe-inline + `script-src 'self' 'unsafe-inline' 'nonce-${nonce}' 'strict-dynamic' https:` + devScriptSrc, + // unsafe-inline for styles is not ideal but okay if script-src is using nonces + "style-src 'self' a.stacker.news 'unsafe-inline'", + "manifest-src 'self'", + 'frame-src www.youtube.com platform.twitter.com', + "connect-src 'self' https: wss:" + devSrc, + // disable dangerous plugins like Flash + "object-src 'none'", + // blocks injection of tags + "base-uri 'none'", + // tell user agents to replace HTTP with HTTPS + 'upgrade-insecure-requests', + // prevents any domain from framing the content (defense against clickjacking attacks) + "frame-ancestors 'none'" + ].join('; ') - // resp.headers.set('Content-Security-Policy', cspHeader) - // // for browsers that don't support CSP - // resp.headers.set('X-Frame-Options', 'DENY') - // // more useful headers - // resp.headers.set('X-Content-Type-Options', 'nosniff') - // resp.headers.set('Referrer-Policy', 'origin-when-cross-origin') - // resp.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains') + resp.headers.set('Content-Security-Policy', cspHeader) + // for browsers that don't support CSP + resp.headers.set('X-Frame-Options', 'DENY') + // more useful headers + resp.headers.set('X-Content-Type-Options', 'nosniff') + resp.headers.set('Referrer-Policy', 'origin-when-cross-origin') + resp.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains') return resp }