Skip to content

Commit

Permalink
Add connect-src to CSP headers
Browse files Browse the repository at this point in the history
  • Loading branch information
@hursey013
hursey013 committed Nov 4, 2024
1 parent 61de4e1 commit cd6afca
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/middlewares/withCSP.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,16 @@ export const withCSP: MiddlewareFactory = (next: NextMiddleware) => {
const nonce = request.headers.get('x-nonce') as string;
const cspHeader = `
default-src 'self';
script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${process.env.NODE_ENV === 'development' ? "'unsafe-eval'" : ''};
connect-src 'self' *.us-gov-west-1.aws-us-gov.cloud.gov;
script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https: http: ${process.env.NODE_ENV === 'production' ? '' : `'unsafe-eval'`};
style-src 'self' 'nonce-${nonce}';
img-src 'self' blob: data:;
font-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'none';
${process.env.NODE_ENV !== 'development' ? 'upgrade-insecure-requests;' : ''};
${process.env.NODE_ENV === 'production' ? '' : 'upgrade-insecure-requests;'};
`;

// Replace newline characters and spaces
Expand Down

0 comments on commit cd6afca

Please sign in to comment.