Merge pull request #273 from ente-io/web-security-clean

harden web security
2022-01-04 13:03:09 +05:30 · 2022-01-04 13:03:09 +05:30 · 1d0aa42630
parent 52c3d4ee57 72ed18f7aa
commit 1d0aa42630
3 changed files with 15 additions and 26 deletions
--- a/next.config.js
+++ b/next.config.js
@ -11,18 +11,6 @@ const gitSha = cp.execSync('git rev-parse --short HEAD', {
    encoding: 'utf8',
 });

-// eslint-disable-next-line camelcase
-const COOP_COEP_Headers = [
-    {
-        key: 'Cross-Origin-Opener-Policy',
-        value: 'same-origin',
-    },
-    {
-        key: 'Cross-Origin-Embedder-Policy',
-        value: 'require-corp',
-    },
-];
-
 module.exports = withSentryConfig(
    withWorkbox(
        withBundleAnalyzer({
@ -33,17 +21,6 @@ module.exports = withSentryConfig(
                swSrc: 'src/serviceWorker.js',
                exclude: [/manifest\.json$/i],
            },
-
-            // added to enabled shared Array buffer - https://web.dev/coop-coep/
-            headers() {
-                return [
-                    {
-                        // Apply these headers to all routes in your application....
-                        source: '/(.*)',
-                        headers: COOP_COEP_Headers,
-                    },
-                ];
-            },
            // https://dev.to/marcinwosinek/how-to-add-resolve-fallback-to-webpack-5-in-nextjs-10-i6j
            webpack: (config, { isServer }) => {
                if (!isServer) {
--- a/public/_headers
+++ b/public/_headers
@ -0,0 +1,12 @@
+/*
+    Cache-Control: no-store, must-revalidate
+    Cross-Origin-Embedder-Policy:  require-corp
+    Cross-Origin-Opener-Policy:  same-origin
+    Strict-Transport-Security:  max-age=63072000
+    X-Content-Type-Options: nosniff
+    X-Download-Options: noopen
+    X-Frame-Options: deny
+    X-XSS-Protection: 1; mode=block
+    Referrer-Policy: same-origin
+    Content-Security-Policy-Report-Only: default-src 'none'; img-src 'self' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self' 'unsafe-eval' blob:; connect-src 'self' https://*.ente.io data: blob: https://ente-prod-eu.s3.eu-central-003.backblazeb2.com ; base-uri 'self'; frame-ancestors 'none'; form-action 'none'; report-uri https://csp-reporter.ente.io; report-to https://csp-reporter.ente.io;
+    
--- a/src/utils/common/apiUtil.ts
+++ b/src/utils/common/apiUtil.ts
@ -11,7 +11,7 @@ export const getFileUrl = (id: number) => {
            'https://api.ente.io'
        );
    }
-    return `https://files.ente.workers.dev/?fileID=${id}`;
+    return `https://files.ente.io/?fileID=${id}`;
 };

 export const getThumbnailUrl = (id: number) => {
@ -21,11 +21,11 @@ export const getThumbnailUrl = (id: number) => {
            'https://api.ente.io'
        );
    }
-    return `https://thumbnails.ente.workers.dev/?fileID=${id}`;
+    return `https://thumbnails.ente.io/?fileID=${id}`;
 };

 export const getSentryTunnelUrl = () => {
-    return `https://sentry-reporter.ente.workers.dev`;
+    return `https://sentry-reporter.ente.io`;
 };

 export const getPaymentsUrl = () => {