add x-frame-options and frame-ancestors headers to stop clickjacking …

…(#221)
GWT-M3O-TEST · May 10, 2022 · 7fe9122 · 7fe9122
1 parent d44e91f
commit 7fe9122
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/apps/web/next.config.js b/apps/web/next.config.js
@@ -1,3 +1,18 @@
+const ContentSecurityPolicy = `
+  frame-ancestors 'self';
+`
+
+const securityHeaders = [
+  {
+    key: 'X-Frame-Options',
+    value: 'SAMEORIGIN'
+  },
+  {
+    key: 'Content-Security-Policy',
+    value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim()
+  },
+]
+
 module.exports = {
   reactStrictMode: true,
   webpack(config) {
@@ -19,4 +34,12 @@ module.exports = {
       },
     ]
   },
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: securityHeaders,
+      },
+    ]
+  },
 }