Merge pull request #211 from supabase/chore/csp

chore: add csp header
supabase · Jan 6, 2025 · c4e535f · c4e535f
2 parents 6d97b28 + 78cf07d
commit c4e535f
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/website/next.config.js b/website/next.config.js
@@ -1,6 +1,33 @@
 /** @type {import('next').NextConfig} */
+
+const cspHeader = `
+  default-src 'self' ${process.env.NEXT_PUBLIC_SUPABASE_URL};
+  style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ https://fonts.google.com/;
+  img-src 'self' data: ${process.env.NEXT_PUBLIC_SUPABASE_URL}/storage/;
+  object-src 'none';
+  base-uri 'none';
+  frame-ancestors 'none';
+`
+
 const nextConfig = {
   reactStrictMode: true,
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: cspHeader.replace(/\n/g, ''),
+          },
+          {
+            key: 'X-Frame-Options',
+            value: 'SAMEORIGIN',
+          },
+        ],
+      },
+    ]
+  },
 }
 
 module.exports = nextConfig