Skip to content

Commit

Permalink
Merge pull request #1267 from bcgov/chore/1231
Browse files Browse the repository at this point in the history
feat(1231): add secure headers in nextjs config
  • Loading branch information
junminahn authored Nov 7, 2023
2 parents 6f51d9d + f31d90c commit 8dfa9d1
Showing 6 changed files with 112 additions and 1 deletion.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -2,4 +2,4 @@ SHELL := /usr/bin/env bash

.PHONY: localdev
localdev:
docker-compose -f ./localdev/docker-compose.yml up --build
docker-compose -f ./localdev/docker-compose.yml up
1 change: 1 addition & 0 deletions helm/main/values-101ed4-dev.yaml
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ app:
env:
"APP_ENV": "dev"
"BASE_URL": "https://dev-pltsvc.apps.silver.devops.gov.bc.ca"
"AUTH_BASE_URL": "https://dev.loginproxy.gov.bc.ca/"
"AUTH_SERVER_URL": "https://dev.loginproxy.gov.bc.ca/auth"
"AUTH_RELM": "platform-services"
"NEXTAUTH_URL": "https://dev-pltsvc.apps.silver.devops.gov.bc.ca/"
1 change: 1 addition & 0 deletions helm/main/values-101ed4-prod.yaml
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ app:
env:
"APP_ENV": "prod"
"BASE_URL": "https://pltsvc.apps.silver.devops.gov.bc.ca"
"AUTH_BASE_URL": "https://loginproxy.gov.bc.ca/"
"AUTH_SERVER_URL": "https://loginproxy.gov.bc.ca/auth"
"AUTH_RELM": "platform-services"
"NEXTAUTH_URL": "https://pltsvc.apps.silver.devops.gov.bc.ca/"
1 change: 1 addition & 0 deletions helm/main/values-101ed4-test.yaml
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ app:
env:
"APP_ENV": "test"
"BASE_URL": "https://test-pltsvc.apps.silver.devops.gov.bc.ca"
"AUTH_BASE_URL": "https://test.loginproxy.gov.bc.ca/"
"AUTH_SERVER_URL": "https://test.loginproxy.gov.bc.ca/auth"
"AUTH_RELM": "platform-services"
"NEXTAUTH_URL": "https://test-pltsvc.apps.silver.devops.gov.bc.ca/"
1 change: 1 addition & 0 deletions helm/main/values.yaml
Original file line number Diff line number Diff line change
@@ -45,6 +45,7 @@ app:
env:
"APP_ENV": ""
"BASE_URL": ""
"AUTH_BASE_URL": ""
"AUTH_SERVER_URL": ""
"AUTH_RELM": ""
"NEXTAUTH_URL": ""
107 changes: 107 additions & 0 deletions next.config.js
Original file line number Diff line number Diff line change
@@ -19,6 +19,113 @@ const nextConfig = {
},
];
},
poweredByHeader: false,
async headers() {
if (!['dev', 'test', 'prod'].includes(process.env.APP_ENV)) return [];

return [
{
source: '/(.*)',
headers: [
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
{
key: 'content-security-policy',
value: [
"base-uri 'self'",
"default-src 'self'",
"script-src 'self' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' https://gravatar.com/",
`connect-src 'self' https://gravatar.com/ ${process.env.AUTH_BASE_URL}`,
`frame-src ${process.env.AUTH_BASE_URL}`,
`frame-ancestors ${process.env.AUTH_BASE_URL}`,
"object-src 'none'",
"form-action 'self'",
'upgrade-insecure-requests',
].join(';'),
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
{
key: 'strict-transport-security',
value: 'max-age=15768000; includeSubDomains; preload',
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
{
key: 'x-content-type-options',
value: 'nosniff',
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
{
key: 'x-frame-options',
value: 'SAMEORIGIN',
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
{
key: 'x-xss-protection',
value: '0',
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy
{
key: 'permissions-policy',
value: [
'accelerometer=()',
'ambient-light-sensor=()',
'autoplay=()',
'battery=()',
'camera=()',
'cross-origin-isolated=()',
'display-capture=()',
'document-domain=()',
'encrypted-media=()',
'execution-while-not-rendered=()',
'execution-while-out-of-viewport=()',
'fullscreen=(self)',
'geolocation=()',
'gyroscope=()',
'keyboard-map=()',
'magnetometer=()',
'microphone=()',
'midi=()',
'navigation-override=()',
'payment=()',
'picture-in-picture=()',
'publickey-credentials-get=()',
'screen-wake-lock=()',
'sync-xhr=()',
'usb=()',
'web-share=()',
'xr-spatial-tracking=()',
].join(','),
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
{
key: 'referrer-policy',
value: 'strict-origin',
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
{
key: 'x-dns-prefetch-control',
value: 'off',
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
{
key: 'cache-control',
value: 'no-cache, no-store, must-revalidate, proxy-revalidate',
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma
{
key: 'pragma',
value: 'no-cache',
},
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
{
key: 'expires',
value: '0',
},
],
},
];
},
images: {
remotePatterns: [
{

0 comments on commit 8dfa9d1

Please sign in to comment.