Merge pull request #211 from supabase/chore/csp

staaldraad · web-flow · commit c4e535f9653a · 2025-01-06T11:52:40.000+01:00
chore: add csp header
diff --git a/website/next.config.js b/website/next.config.js
@@ -1,6 +1,33 @@
 /** @type {import('next').NextConfig} */
+
+const cspHeader = `
+  default-src 'self' ${process.env.NEXT_PUBLIC_SUPABASE_URL};
+  style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ https://fonts.google.com/;
+  img-src 'self' data: ${process.env.NEXT_PUBLIC_SUPABASE_URL}/storage/;
+  object-src 'none';
+  base-uri 'none';
+  frame-ancestors 'none';
+`
+
 const nextConfig = {
   reactStrictMode: true,
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: cspHeader.replace(/\n/g, ''),
+          },
+          {
+            key: 'X-Frame-Options',
+            value: 'SAMEORIGIN',
+          },
+        ],
+      },
+    ]
+  },
 }
 
 module.exports = nextConfig
