diff --git a/frontend/next.config.js b/frontend/next.config.js index fc3f56345703..f3cdf16130a7 100644 --- a/frontend/next.config.js +++ b/frontend/next.config.js @@ -21,21 +21,50 @@ const nextConfig = { }, }; -const ContentSecurityPolicy = ` - default-src 'self' https://fonts.googleapis.com ${process.env.NEXT_PUBLIC_SUPABASE_URL} https://api.june.so https://www.quivr.app/; - connect-src 'self' ${process.env.NEXT_PUBLIC_SUPABASE_URL} ${process.env.NEXT_PUBLIC_BACKEND_URL} https://api.june.so https://api.openai.com https://cdn.growthbook.io https://vitals.vercel-insights.com/v1/vitals; - img-src 'self' data:; - media-src 'self' https://user-images.githubusercontent.com https://www.quivr.app/ https://quivr-cms.s3.eu-west-3.amazonaws.com; - script-src 'unsafe-inline' 'unsafe-eval' https://va.vercel-scripts.com/ https://www.quivr.app/ https://www.google-analytics.com/; - frame-ancestors 'none'; - style-src 'unsafe-inline' https://www.quivr.app/; -`; +const ContentSecurityPolicy = { + "default-src": [ + "self", + "https://fonts.googleapis.com", + process.env.NEXT_PUBLIC_SUPABASE_URL, + "https://api.june.so", + "https://www.quivr.app/", + ], + "connect-src": [ + "self", + process.env.NEXT_PUBLIC_SUPABASE_URL, + process.env.NEXT_PUBLIC_BACKEND_URL, + "https://api.june.so", + "https://api.openai.com", + "https://cdn.growthbook.io", + "https://vitals.vercel-insights.com/v1/vitals", + ], + "img-src": ["self", "https://www.gravatar.com/", "data:"], + "media-src": [ + "self", + "https://user-images.githubusercontent.com", + "https://www.quivr.app/", + "https://quivr-cms.s3.eu-west-3.amazonaws.com", + ], + "script-src": [ + "unsafe-inline", + "unsafe-eval", + "https://va.vercel-scripts.com/", + "https://www.quivr.app/", + "https://www.google-analytics.com/", + ], + "frame-ancestors": ["none"], + "style-src": ["unsafe-inline", "https://www.quivr.app/"], +}; + +const cspString = Object.entries(ContentSecurityPolicy) + .map(([key, values]) => `${key} ${values.join(" ")}`) + .join("; "); // Define headers const securityHeaders = [ { key: "Content-Security-Policy", - value: ContentSecurityPolicy.replace(/\n/g, ""), + value: cspString, }, { key: "Referrer-Policy",