From cd22c5a365219335815abffbe5692e26b39b6e3d Mon Sep 17 00:00:00 2001 From: andoan16 <33853760+andoan16@users.noreply.github.com> Date: Sat, 11 Apr 2026 10:04:42 +0700 Subject: [PATCH] refactor: add security headers and csp to block malicious domains Create Next.js configuration file with security headers including Content Security Policy (CSP) to prevent the browser from loading resources from the suspicious domains mentioned in the issue (infoworldbriefs.com, changelesschoir.com, signedquick.com) and to mitigate the impact of any potential injection vulnerabilities. Affected files: next.config.ts Signed-off-by: andoan16 <33853760+andoan16@users.noreply.github.com> --- next.config.ts | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 next.config.ts diff --git a/next.config.ts b/next.config.ts new file mode 100644 index 0000000..a489aa9 --- /dev/null +++ b/next.config.ts @@ -0,0 +1,43 @@ +import type { NextConfig } from 'next' + +const nextConfig: NextConfig = { + async headers() { + return [ + { + source: '/:path*', + headers: [ + { + key: 'Content-Security-Policy', + value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src 'self' wss: https:; media-src 'self' blob:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; block-all-mixed-content;", + }, + { + key: 'X-Frame-Options', + value: 'DENY', + }, + { + key: 'X-Content-Type-Options', + value: 'nosniff', + }, + { + key: 'Referrer-Policy', + value: 'strict-origin-when-cross-origin', + }, + { + key: 'Permissions-Policy', + value: 'camera=(), microphone=(), geolocation=(), payment=()', + }, + { + key: 'X-DNS-Prefetch-Control', + value: 'on', + }, + { + key: 'Strict-Transport-Security', + value: 'max-age=63072000; includeSubDomains; preload', + }, + ], + }, + ] + }, +} + +export default nextConfig \ No newline at end of file