Merge pull request #279 from ente-io/configure-local-headers

Configure local headers

configUtil.js

@@ -0,0 +1,53 @@
+const cp = require('child_process');
+
+module.exports = {
+    COOP_COEP_HEADERS: {
+        'Cross-Origin-Opener-Policy': 'same-origin',
+        'Cross-Origin-Embedder-Policy': 'require-corp',
+    },
+
+    WEB_SECURITY_HEADERS: {
+        'Strict-Transport-Security': '  max-age=63072000',
+        'X-Content-Type-Options': 'nosniff',
+        'X-Download-Options': 'noopen',
+        'X-Frame-Options': 'deny',
+        'X-XSS-Protection': '1; mode=block',
+        'Referrer-Policy': 'same-origin',
+    },
+
+    CSP_DIRECTIVES: {
+        'default-src': "'none'",
+        'img-src': "'self' blob:",
+        'style-src': "'self' 'unsafe-inline'",
+        'font-src ': "'self'; script-src 'self' 'unsafe-eval' blob:",
+        'connect-src':
+            "'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com ",
+        'base-uri ': "'self'",
+        'frame-ancestors': " 'none'",
+        'form-action': "'none'",
+        'report-uri': 'https://csp-reporter.ente.io',
+        'report-to': 'https://csp-reporter.ente.io',
+    },
+
+    WORKBOX_CONFIG: {
+        swSrc: 'src/serviceWorker.js',
+        exclude: [/manifest\.json$/i],
+    },
+
+    ALL_ROUTES: '/(.*)',
+
+    buildCSPHeader: (directives) => ({
+        'Content-Security-Policy-Report-Only': Object.entries(
+            directives
+        ).reduce((acc, [key, value]) => acc + `${key} ${value};`, ''),
+    }),
+
+    convertToNextHeaderFormat: (headers) =>
+        Object.entries(headers).map(([key, value]) => ({ key, value })),
+
+    getGitSha: () =>
+        cp.execSync('git rev-parse --short HEAD', {
+            cwd: __dirname,
+            encoding: 'utf8',
+        }),
+};

next.config.js

@@ -5,11 +5,18 @@ const withWorkbox = require('@ente-io/next-with-workbox');
 
 const { withSentryConfig } = require('@sentry/nextjs');
 
-const cp = require('child_process');
-const gitSha = cp.execSync('git rev-parse --short HEAD', {
-    cwd: __dirname,
-    encoding: 'utf8',
-});
+const {
+    getGitSha,
+    convertToNextHeaderFormat,
+    buildCSPHeader,
+    COOP_COEP_HEADERS,
+    WEB_SECURITY_HEADERS,
+    CSP_DIRECTIVES,
+    WORKBOX_CONFIG,
+    ALL_ROUTES,
+} = require('./configUtil');
+
+const gitSha = getGitSha();
 
 module.exports = withSentryConfig(
     withWorkbox(
@@ -17,9 +24,20 @@ module.exports = withSentryConfig(
             env: {
                 SENTRY_RELEASE: gitSha,
             },
-            workbox: {
-                swSrc: 'src/serviceWorker.js',
-                exclude: [/manifest\.json$/i],
+            workbox: WORKBOX_CONFIG,
+
+            headers() {
+                return [
+                    {
+                        // Apply these headers to all routes in your application....
+                        source: ALL_ROUTES,
+                        headers: convertToNextHeaderFormat({
+                            ...COOP_COEP_HEADERS,
+                            ...WEB_SECURITY_HEADERS,
+                            ...buildCSPHeader(CSP_DIRECTIVES),
+                        }),
+                    },
+                ];
             },
             // https://dev.to/marcinwosinek/how-to-add-resolve-fallback-to-webpack-5-in-nextjs-10-i6j
             webpack: (config, { isServer }) => {

tsconfig.json

@@ -1,12 +1,7 @@
 {
     "compilerOptions": {
         "target": "es5",
-        "lib": [
-            "dom",
-            "dom.iterable",
-            "esnext",
-            "webworker"
-        ],
+        "lib": ["dom", "dom.iterable", "esnext", "webworker"],
         "allowJs": true,
         "skipLibCheck": true,
         "strict": false,
@@ -25,9 +20,8 @@
         "next-env.d.ts",
         "**/*.ts",
         "**/*.tsx",
-        "src/pages/index.tsx"
+        "src/pages/index.tsx",
+        "configUtil.js"
     ],
-    "exclude": [
-        "node_modules"
-    ]
-}
+    "exclude": ["node_modules"]
+}