🐛 fix: add Content-Security-Policy env (#8752)

* fix: add Content-Security-Policy * feat: add env to control csp open or not * update env
2026-06-14 03:30:19 +00:00 · 2025-08-29 05:14:04 -04:00
parent 0220e81a92
commit 9250540912
2 changed files with 30 additions and 6 deletions
@@ -9,6 +9,7 @@ const buildWithDocker = process.env.DOCKER === 'true';
 const isDesktop = process.env.NEXT_PUBLIC_IS_DESKTOP_APP === '1';
 const enableReactScan = !!process.env.REACT_SCAN_MONITOR_API_KEY;
 const isUsePglite = process.env.NEXT_PUBLIC_CLIENT_DB === 'pglite';
+const shouldUseCSP = process.env.ENABLED_CSP === '1';

 // if you need to proxy the api endpoint to remote server

@@ -41,14 +42,29 @@ const nextConfig: NextConfig = {
    webVitalsAttribution: ['CLS', 'LCP'],
  },
  async headers() {
+    const securityHeaders = [
+      {
+        key: 'x-robots-tag',
+        value: 'all',
+      },
+    ];
+
+    if (shouldUseCSP) {
+      securityHeaders.push(
+        {
+          key: 'X-Frame-Options',
+          value: 'DENY',
+        },
+        {
+          key: 'Content-Security-Policy',
+          value: "frame-ancestors 'none';",
+        },
+      );
+    }
+
    return [
      {
-        headers: [
-          {
-            key: 'x-robots-tag',
-            value: 'all',
-          },
-        ],
+        headers: securityHeaders,
        source: '/:path*',
      },
      {