From 1797c13718e88ce7c30f3b85eb79a6c3d12552db Mon Sep 17 00:00:00 2001
From: vchikalkin <djchikalkin@gmail.com>
Date: Sat, 27 Apr 2024 11:22:26 +0300
Subject: [PATCH] next.config.js: add csp header

---
 apps/web/next.config.js | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/apps/web/next.config.js b/apps/web/next.config.js
index ca3cbdc..6c6b413 100644
--- a/apps/web/next.config.js
+++ b/apps/web/next.config.js
@@ -18,8 +18,38 @@ function buildFaviconRewrite(source) {
   };
 }
 
+const cspHeader = `
+    upgrade-insecure-requests;
+    default-src ${
+      process.env.NODE_ENV === 'development' ? 'http: ws:' : ''
+    } https: wss:  data: blob: 'self';
+    base-uri 'self';
+    connect-src 'self' *.evoleasing.ru ${process.env.NODE_ENV === 'development' ? 'ws:' : ''} wss:;
+    worker-src 'self' blob:;
+    font-src 'self' fonts.gstatic.com fonts.googleapis.com;
+    script-src 'self' ${
+      process.env.NODE_ENV === 'development' ? "'unsafe-eval' 'unsafe-inline'" : ''
+    };
+    style-src 'self' 'unsafe-inline' fonts.googleapis.com;
+    object-src 'none';
+    frame-ancestors 'none';
+`;
+
 module.exports = withSentryConfig(
   {
+    async headers() {
+      return [
+        {
+          source: '/(.*)',
+          headers: [
+            {
+              key: 'Content-Security-Policy',
+              value: cspHeader.replace(/\n/g, ''),
+            },
+          ],
+        },
+      ];
+    },
     basePath: env.BASE_PATH,
     compiler: {
       styledComponents: true,