diff --git a/apps/dcellar-web-ui/CHANGELOG.json b/apps/dcellar-web-ui/CHANGELOG.json index 155d9d30..6e94e3df 100644 --- a/apps/dcellar-web-ui/CHANGELOG.json +++ b/apps/dcellar-web-ui/CHANGELOG.json @@ -1,6 +1,18 @@ { "name": "dcellar-web-ui", "entries": [ + { + "version": "1.9.0", + "tag": "dcellar-web-ui_v1.9.0", + "date": "Tue, 05 Nov 2024 07:18:43 GMT", + "comments": { + "minor": [ + { + "comment": "Add CSP" + } + ] + } + }, { "version": "1.8.2", "tag": "dcellar-web-ui_v1.8.2", diff --git a/apps/dcellar-web-ui/CHANGELOG.md b/apps/dcellar-web-ui/CHANGELOG.md index 2f2aa2f7..d64f93a2 100644 --- a/apps/dcellar-web-ui/CHANGELOG.md +++ b/apps/dcellar-web-ui/CHANGELOG.md @@ -1,6 +1,13 @@ # Change Log - dcellar-web-ui -This log was last generated on Thu, 10 Oct 2024 12:15:36 GMT and should not be manually modified. +This log was last generated on Tue, 05 Nov 2024 07:18:43 GMT and should not be manually modified. + +## 1.9.0 +Tue, 05 Nov 2024 07:18:43 GMT + +### Minor changes + +- Add CSP ## 1.8.2 Thu, 10 Oct 2024 12:15:36 GMT diff --git a/apps/dcellar-web-ui/package.json b/apps/dcellar-web-ui/package.json index 8cab1418..264ed681 100644 --- a/apps/dcellar-web-ui/package.json +++ b/apps/dcellar-web-ui/package.json @@ -1,6 +1,6 @@ { "name": "dcellar-web-ui", - "version": "1.8.2", + "version": "1.9.0", "private": false, "scripts": { "dev": "node ./scripts/dev.js -p 3200", diff --git a/apps/dcellar-web-ui/src/base/env.ts b/apps/dcellar-web-ui/src/base/env.ts index d86a6345..908cd3db 100644 --- a/apps/dcellar-web-ui/src/base/env.ts +++ b/apps/dcellar-web-ui/src/base/env.ts @@ -1,7 +1,7 @@ import { removeTrailingSlash } from '@/utils/string'; import getConfig from 'next/config'; -const { publicRuntimeConfig, serverRuntimeConfig } = getConfig(); +const { publicRuntimeConfig, serverRuntimeConfig } = getConfig() || {}; const { NEXT_PUBLIC_ENV, NEXT_PUBLIC_STATIC_HOST, diff --git a/apps/dcellar-web-ui/src/middleware.ts b/apps/dcellar-web-ui/src/middleware.ts new file mode 100644 index 00000000..e0d51fff --- /dev/null +++ b/apps/dcellar-web-ui/src/middleware.ts @@ -0,0 +1,56 @@ +import { NextRequest, NextResponse } from 'next/server'; + +export function middleware(request: NextRequest) { + const cspHeader = ` + default-src 'self'; + script-src 'self' 'unsafe-eval' https: https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com; + script-src-elem 'self' 'unsafe-inline' https: https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com; + style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; + img-src 'self' blob: data: https: https://www.google-analytics.com https://www.googletagmanager.com; + font-src 'self' https://fonts.gstatic.com; + connect-src *; + object-src 'none'; + base-uri 'self'; + form-action 'self'; + frame-ancestors 'none'; + frame-src 'self' https://*.walletconnect.com https://verify.walletconnect.com; + media-src 'self'; + manifest-src 'self'; + worker-src 'self' blob:; + upgrade-insecure-requests; +`; + + const cleanCspHeader = cspHeader.replace(/\s+/g, ' ').trim(); + + const requestHeaders = new Headers(request.headers); + requestHeaders.set('Content-Security-Policy', cleanCspHeader); + + const response = NextResponse.next({ + request: { + headers: requestHeaders, + }, + }); + + response.headers.set('Content-Security-Policy', cleanCspHeader); + + return response; +} + +export const config = { + matcher: [ + /* + * Match all request paths except for the ones starting with: + * - api (API routes) + * - _next/static (static files) + * - _next/image (image optimization files) + * - favicon.ico (favicon file) + */ + { + source: '/((?!api|_next/static|_next/image|favicon.ico).*)', + missing: [ + { type: 'header', key: 'next-router-prefetch' }, + { type: 'header', key: 'purpose', value: 'prefetch' }, + ], + }, + ], +};