Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(csp): add growthbook to csp headers #1117

Merged
merged 1 commit into from
Sep 6, 2023
Merged

fix(csp): add growthbook to csp headers #1117

merged 1 commit into from
Sep 6, 2023

Conversation

gozineb
Copy link
Contributor

@gozineb gozineb commented Sep 6, 2023

Description

Fix csp headers in prod by adding growthbook url to connect-src

Checklist before requesting a review

Please delete options that are not relevant.

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented hard-to-understand areas
  • I have ideally added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Screenshots (if appropriate):

@gozineb gozineb temporarily deployed to preview September 6, 2023 09:36 — with GitHub Actions Inactive
@vercel
Copy link

vercel bot commented Sep 6, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
docs 🔄 Building (Inspect) Visit Preview Sep 6, 2023 9:39am
quivrapp ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 6, 2023 9:39am

@github-actions
Copy link
Contributor

github-actions bot commented Sep 6, 2023

Risk Level 2 - /home/runner/work/quivr/quivr/frontend/next.config.js

The code changes seem to be safe and follow good practices. However, there are a few points to consider:

  1. Environment Variables in Plain Text: The code uses environment variables which is a good practice. However, ensure that these variables are not being logged or exposed in any way. This is especially important for process.env.NEXT_PUBLIC_SUPABASE_URL and process.env.NEXT_PUBLIC_BACKEND_URL.

  2. Content Security Policy (CSP): The CSP has been updated to include new sources. Ensure that these sources are trusted and necessary. Also, the use of 'unsafe-inline' and 'unsafe-eval' in script-src can expose your site to cross-site scripting (XSS) attacks.

  3. Sentry Configuration: The Sentry configuration seems to be done correctly. However, ensure that the SENTRY_DSN environment variable is kept secure and not exposed or logged.

🔒🌐🐛

Powered by Code Review GPT

@gozineb gozineb merged commit eb7b677 into main Sep 6, 2023
7 checks passed
@StanGirard StanGirard mentioned this pull request Sep 6, 2023
Merged
StanGirard pushed a commit that referenced this pull request Sep 12, 2023
@gozineb
🚑 add growthbook to csp headers (#1117)
163a00b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mamadoudicko mamadoudicko mamadoudicko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gozineb @mamadoudicko