next.config.js: add csp header

apps/web/next.config.js

@@ -18,8 +18,38 @@ function buildFaviconRewrite(source) {
   };
 }
 
+const cspHeader = `
+    upgrade-insecure-requests;
+    default-src ${
+      process.env.NODE_ENV === 'development' ? 'http: ws:' : ''
+    } https: wss:  data: blob: 'self';
+    base-uri 'self';
+    connect-src 'self' *.evoleasing.ru ${process.env.NODE_ENV === 'development' ? 'ws:' : ''} wss:;
+    worker-src 'self' blob:;
+    font-src 'self' fonts.gstatic.com fonts.googleapis.com;
+    script-src 'self' ${
+      process.env.NODE_ENV === 'development' ? "'unsafe-eval' 'unsafe-inline'" : ''
+    };
+    style-src 'self' 'unsafe-inline' fonts.googleapis.com;
+    object-src 'none';
+    frame-ancestors 'none';
+`;
+
 module.exports = withSentryConfig(
   {
+    async headers() {
+      return [
+        {
+          source: '/(.*)',
+          headers: [
+            {
+              key: 'Content-Security-Policy',
+              value: cspHeader.replace(/\n/g, ''),
+            },
+          ],
+        },
+      ];
+    },
     basePath: env.BASE_PATH,
     compiler: {
       styledComponents: true,