-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
37 lines (32 loc) · 1.17 KB
/
middleware.ts
File metadata and controls
37 lines (32 loc) · 1.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
// Build the CSP connect-src at runtime so S3_PUBLIC_URL is available
function buildCsp(): string {
const connectSrcExtras: string[] = [
"https://*.amazonaws.com",
"https://*.r2.cloudflarestorage.com",
];
// S3_PUBLIC_URL is a runtime env var (set in docker-compose / .env)
// e.g. http://localhost:9000 for local MinIO
if (process.env.S3_PUBLIC_URL) {
connectSrcExtras.push(process.env.S3_PUBLIC_URL);
}
return [
"default-src 'self'",
"script-src 'self' 'unsafe-eval' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
"font-src 'self' https://fonts.gstatic.com",
"img-src 'self' data: blob:",
`connect-src 'self' ${connectSrcExtras.join(" ")}`,
"frame-ancestors 'none'",
].join("; ");
}
export function middleware(request: NextRequest) {
const response = NextResponse.next();
response.headers.set("Content-Security-Policy", buildCsp());
return response;
}
export const config = {
// Apply to all routes except Next.js internals and static files
matcher: "/((?!_next/static|_next/image|favicon.ico).*)",
};