Added content security policy.

Author: mikecao

middleware.js

@@ -33,14 +33,6 @@ function customScriptName(req) {
   }
 }
 
-function forceSSL(req, res) {
-  if (process.env.FORCE_SSL && req.nextUrl.protocol === 'http:') {
-    res.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
-  }
-
-  return res;
-}
-
 export default function middleware(req) {
   const fns = [customCollectEndpoint, customScriptName];
 
@@ -51,5 +43,5 @@ export default function middleware(req) {
     }
   }
 
-  return forceSSL(req, NextResponse.next());
+  return NextResponse.next();
 }

next.config.js

@@ -1,6 +1,37 @@
 require('dotenv').config();
 const pkg = require('./package.json');
 
+const contentSecurityPolicy = `
+  default-src 'self';
+  img-src *;
+  script-src 'self' 'unsafe-eval';
+  style-src 'self' 'unsafe-inline';
+  connect-src 'self' api.umami.is;
+  frame-ancestors 'self';
+`;
+
+const headers = [
+  {
+    key: 'X-DNS-Prefetch-Control',
+    value: 'on',
+  },
+  {
+    key: 'X-Frame-Options',
+    value: 'SAMEORIGIN',
+  },
+  {
+    key: 'Content-Security-Policy',
+    value: contentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
+  },
+];
+
+if (process.env.FORCE_SSL) {
+  headers.push({
+    key: 'Strict-Transport-Security',
+    value: 'max-age=63072000; includeSubDomains; preload',
+  });
+}
+
 module.exports = {
   env: {
     currentVersion: pkg.version,
@@ -24,6 +55,10 @@ module.exports = {
   },
   async headers() {
     return [
+      {
+        source: '/:path*',
+        headers,
+      },
       {
         source: `/(.*\\.js)`,
         headers: [