mirror/formbricks
1
0
Fork 0
mirror of https://github.com/formbricks/formbricks.git synced 2026-03-12 19:40:03 -05:00
Code Issues Packages Projects Releases 137 Wiki Activity

chore: harden CSP and X-Frame-Options headers (#7062)

Browse Source 
Co-authored-by: pandeymangg <anshuman.pandey9999@gmail.com>
This commit is contained in:
Matti Nannt
2026-01-06 07:21:19 +01:00
committed by GitHub
parent 9e1d1c1dc2
commit b960cfd2a1
1 changed files with 18 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
apps/web/next.config.mjs
View File

@@ -133,15 +133,32 @@ const nextConfig = {
const isProduction = process.env.NODE_ENV === "production";
const scriptSrcUnsafeEval = isProduction ? "" : " 'unsafe-eval'";
const cspBase = `default-src 'self'; script-src 'self' 'unsafe-inline'${scriptSrcUnsafeEval} https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' blob: data: http://localhost:9000 https:; font-src 'self' data: https:; connect-src 'self' http://localhost:9000 https: wss:; frame-src 'self' https://app.cal.com https:; media-src 'self' https:; object-src 'self' data: https:; base-uri 'self'; form-action 'self'`;
return [
{
// Apply X-Frame-Options to all routes except those starting with /s/ or /c/
// Apply X-Frame-Options and restricted frame-ancestors to all routes except those starting with /s/ or /c/
source: "/((?!s/|c/).*)",
headers: [
{
key: "X-Frame-Options",
value: "SAMEORIGIN",
},
{
key: "Content-Security-Policy",
value: `${cspBase}; frame-ancestors 'self'`,
},
],
},
{
// Allow surveys (/s/*) and contact survey links (/c/*) to be embedded in iframes on any domain
// Note: These routes need frame-ancestors * to support embedding surveys in customer websites
source: "/(s|c)/:path*",
headers: [
{
key: "Content-Security-Policy",
value: `${cspBase}; frame-ancestors *`,
},
],
},
{
@@ -179,10 +196,6 @@ const nextConfig = {
key: "X-Content-Type-Options",
value: "nosniff",
},
{
key: "Content-Security-Policy",
value: `default-src 'self'; script-src 'self' 'unsafe-inline'${scriptSrcUnsafeEval} https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' blob: data: http://localhost:9000 https:; font-src 'self' data: https:; connect-src 'self' http://localhost:9000 https: wss:; frame-src 'self' https://app.cal.com https:; media-src 'self' https:; object-src 'self' data: https:; base-uri 'self'; form-action 'self'`,
},
{
key: "Strict-Transport-Security",
value: "max-age=63072000; includeSubDomains; preload",