diff --git a/frontend/next.config.js b/frontend/next.config.js index 56c3db7bc84a..b266558c3eb0 100644 --- a/frontend/next.config.js +++ b/frontend/next.config.js @@ -9,16 +9,12 @@ const nextConfig = { }, // eslint-disable-next-line prefer-arrow/prefer-arrow-functions async headers() { - if (process.env.NEXT_PUBLIC_ENV === "prod") { - return [ - { - source: "/(.*)", - headers: securityHeaders, - }, - ]; - } else { - return []; - } + return [ + { + source: "/(.*)", + headers: securityHeaders, + }, + ]; }, }; @@ -28,7 +24,11 @@ const ContentSecurityPolicy = { "https://fonts.googleapis.com", process.env.NEXT_PUBLIC_SUPABASE_URL, "https://api.june.so", - "https://www.quivr.app/", + { + prod: "https://www.quivr.app/", + preview: "https://preview.quivr.app/", + local: ["http://localhost:3000", "http://localhost:3001"], + }, ], "connect-src": [ "'self'", @@ -50,13 +50,38 @@ const ContentSecurityPolicy = { "'unsafe-inline'", "'unsafe-eval'", "https://va.vercel-scripts.com/", - "https://www.quivr.app/", + { + prod: "https://www.quivr.app/", + preview: "https://preview.quivr.app/", + local: ["http://localhost:3000", "http://localhost:3001"], + }, "https://www.google-analytics.com/", ], "frame-ancestors": ["'none'"], - "style-src": ["'unsafe-inline'", "https://www.quivr.app/"], + "style-src": [ + "'unsafe-inline'", + { + prod: "https://www.quivr.app/", + preview: "https://preview.quivr.app/", + local: ["http://localhost:3000", "http://localhost:3001"], + }, + ], }; +// Resolve environment-specific CSP values +for (const directive of Object.values(ContentSecurityPolicy)) { + for (const [index, resource] of directive.entries()) { + if (typeof resource === "string") { + continue; + } + directive[index] = resource[process.env.NEXT_PUBLIC_ENV]; + if (Array.isArray(directive[index])) { + directive[index] = directive[index].join(" "); + } + } +} + +// Build CSP string const cspString = Object.entries(ContentSecurityPolicy) .map(([key, values]) => `${key} ${values.join(" ")};`) .join(" ");