Skip to content

Commit

Permalink
fix: don't enforce https if http urls in env and related fixes 2 (#819)
Browse files Browse the repository at this point in the history
  • Loading branch information
@janmichek
janmichek authored Jul 15, 2024
1 parent 31da7e4 commit d33a8e5
Show file tree
Hide file tree
Showing 4 changed files with 55 additions and 33 deletions.
7 changes: 7 additions & 0 deletions .dockerignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
*
!src
!index.html
!nuxt.config.ts
!package.json
!tsconfig.json
!yarn.lock
28 changes: 14 additions & 14 deletions nuxt.config.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,20 +34,20 @@ export default defineNuxtConfig({
},
runtimeConfig: {
public: {
SENTRY_AUTH_TOKEN: process.env.SENTRY_AUTH_TOKEN,
SENTRY_DSN: process.env.SENTRY_DSN,
APP_DOMAIN: process.env.APP_DOMAIN,
MIDDLEWARE_URL: process.env.MIDDLEWARE_URL,
NODE_URL: process.env.NODE_URL,
WEBSOCKET_URL: process.env.WEBSOCKET_URL,
DEX_BACKEND_URL: process.env.DEX_BACKEND_URL,
NETWORK_NAME: process.env.NETWORK_NAME,
ALTERNATIVE_NETWORK_URL: process.env.ALTERNATIVE_NETWORK_URL,
ALTERNATIVE_NETWORK_NAME: process.env.ALTERNATIVE_NETWORK_NAME,
AE_TOKEN_ID: process.env.AE_TOKEN_ID,
DEBUG_MODE: process.env.DEBUG_MODE,
CONTRACT_VERIFICATION_SERVICE_URL: process.env.CONTRACT_VERIFICATION_SERVICE_URL,
SH_DEX_CONTRACTS: process.env.SH_DEX_CONTRACTS?.split(';'),
SENTRY_AUTH_TOKEN: undefined,
SENTRY_DSN: undefined,
APP_DOMAIN: undefined,
MIDDLEWARE_URL: undefined,
NODE_URL: undefined,
WEBSOCKET_URL: undefined,
DEX_BACKEND_URL: undefined,
NETWORK_NAME: undefined,
ALTERNATIVE_NETWORK_URL: undefined,
ALTERNATIVE_NETWORK_NAME: undefined,
AE_TOKEN_ID: undefined,
DEBUG_MODE: undefined,
CONTRACT_VERIFICATION_SERVICE_URL: undefined,
SH_DEX_CONTRACTS: undefined,
},
},
postcss: {
Expand Down
2 changes: 1 addition & 1 deletion src/composables/useAxios.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ const useAxios = () => {
return Promise.reject(error)
})

if (!DEBUG_MODE || DEBUG_MODE === 'false') {
if (!DEBUG_MODE) {
return axiosInstance.value
}

Expand Down
51 changes: 33 additions & 18 deletions src/server/plugins/response-headers.js
View file
Original file line number Diff line number Diff line change
@@ -1,28 +1,43 @@
const DEFAULT_HEADERS = {
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'sameorigin',
'X-XSS-Protection': '1; mode=block',
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
'Cache-control': 'no-cache',
'Content-Security-Policy': 'default-src \'self\' *; font-src \'self\' data:; img-src \'self\' data:; script-src \'self\' \'unsafe-inline\'; style-src \'self\' \'unsafe-inline\'; frame-src \'self\'; upgrade-insecure-requests; block-all-mixed-content',
'Permissions-Policy': 'camera=(), geolocation=(), microphone=()',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'X-Permitted-Cross-Domain-Policies': 'none',
'Cross-Origin-Embedder-Policy': 'require-corp',
'Cross-Origin-Opener-Policy': 'same-origin',
'Cross-Origin-Resource-Policy': 'cross-origin',
}

export default defineNitroPlugin(nitroApp => {
const {
WEBSOCKET_URL, MIDDLEWARE_URL, NODE_URL, DEX_BACKEND_URL, CONTRACT_VERIFICATION_SERVICE_URL,
} = useRuntimeConfig().public

const allowHttp = [
MIDDLEWARE_URL, NODE_URL, DEX_BACKEND_URL, CONTRACT_VERIFICATION_SERVICE_URL,
].some(url => url?.startsWith('http://')) || WEBSOCKET_URL?.startsWith('ws://')

const DEFAULT_HEADERS = {
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'sameorigin',
'X-XSS-Protection': '1; mode=block',
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
'Cache-control': 'no-cache',
'Content-Security-Policy': [
'default-src \'self\' *',
'font-src \'self\' data:',
'img-src \'self\' data:',
'script-src \'self\' \'unsafe-inline\'',
'style-src \'self\' \'unsafe-inline\'',
'frame-src \'self\'',
...allowHttp ? [] : ['upgrade-insecure-requests'],
'block-all-mixed-content',
].join('; '),
'Permissions-Policy': 'camera=(), geolocation=(), microphone=()',
'Referrer-Policy': 'strict-origin-when-cross-origin',
'X-Permitted-Cross-Domain-Policies': 'none',
'Cross-Origin-Embedder-Policy': 'require-corp',
'Cross-Origin-Opener-Policy': 'same-origin',
'Cross-Origin-Resource-Policy': 'cross-origin',
}

nitroApp.hooks.hook('render:response', response => {
delete response.headers['x-powered-by']

if (process.env.NODE_ENV !== 'production') {
return
}

for (const header in DEFAULT_HEADERS) {
response.headers[header] = DEFAULT_HEADERS[header]
}
Object.assign(response.headers, DEFAULT_HEADERS)
})
})

0 comments on commit d33a8e5

Please sign in to comment.