Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(sec): add security headers #311

Merged
merged 1 commit into from
Sep 7, 2024
Merged

feat(sec): add security headers #311

merged 1 commit into from
Sep 7, 2024

Conversation

42tte
Copy link
Contributor

@42tte 42tte commented Oct 21, 2022

@vercel
Copy link

vercel bot commented Oct 21, 2022
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
variant-no ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 7, 2024 8:05am
variant-se-2 ✅ Ready (Inspect) Visit Preview Sep 7, 2024 8:05am

42tte
42tte commented Oct 21, 2022
View reviewed changes
next.config.js
default-src 'self';
connect-src 'self' https://variant.innocraft.cloud/;
script-src 'self' 'sha256-j6xN8x073Dhm+Ee4HKwIIRXsHIqI5aIRHC0pgnhVcJY=' https://variant.innocraft.cloud/ ${
process.env.NODE_ENV !== 'production' ? "'unsafe-eval'" : ''
Copy link
Contributor Author

@42tte 42tte Oct 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'unsafe-eval' needed for hot reload in dev build

42tte
42tte commented Oct 21, 2022
View reviewed changes
next.config.js
const ContentSecurityPolicy = `
default-src 'self';
connect-src 'self' https://variant.innocraft.cloud/;
script-src 'self' 'sha256-j6xN8x073Dhm+Ee4HKwIIRXsHIqI5aIRHC0pgnhVcJY=' https://variant.innocraft.cloud/ ${
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should have used 'strict-dynamic' but there is no good way of using generated nonces in Nextjs vercel/next.js#21587

@42tte 42tte force-pushed the 42tte/feat-security-headers branch from 0e2aac9 to 40489d4 Compare August 1, 2024 11:06
@42tte 42tte requested a review from mikaelbr August 1, 2024 11:06
@mikaelbr
Copy link
Member

mikaelbr commented Sep 4, 2024

Haven't gone through all potential external references here, but at a glance it looks to cover the things I can think of at least. Now there will be a new implementation of variant webpage, so this would have to be ported over. In that port I also think we could transition to using middleware which I belive now can support nonce.

@42tte 42tte force-pushed the 42tte/feat-security-headers branch from 40489d4 to 827ffa5 Compare September 7, 2024 07:57
@42tte 42tte merged commit 701addb into main Sep 7, 2024
7 checks passed
@42tte 42tte deleted the 42tte/feat-security-headers branch September 7, 2024 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikaelbr mikaelbr mikaelbr approved these changes

@christinaroise christinaroise Awaiting requested review from christinaroise

Assignees
No one assigned
Labels
None yet
Projects
Dash - Variant Åpne løsninger
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@42tte @mikaelbr