Jennie Robinson Faber
fed1cc4bc7
The oidc-provider generates form actions with http:// URLs that conflict with the CSP form-action directive. OIDC routes serve self-contained HTML outside Nuxt, so CSP is not needed there.
35 lines
1.3 KiB
JavaScript
35 lines
1.3 KiB
JavaScript
export default defineEventHandler((event) => {
|
|
const path = getRequestURL(event).pathname
|
|
|
|
const headers = {
|
|
'X-Content-Type-Options': 'nosniff',
|
|
'X-Frame-Options': 'DENY',
|
|
'X-XSS-Protection': '0',
|
|
'Referrer-Policy': 'strict-origin-when-cross-origin',
|
|
'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
|
|
}
|
|
|
|
if (process.env.NODE_ENV === 'production') {
|
|
headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
|
|
|
|
// Skip CSP for OIDC routes — they serve self-contained HTML
|
|
// rendered by oidc-provider with its own form actions
|
|
if (!path.startsWith('/oidc/')) {
|
|
headers['Content-Security-Policy'] = [
|
|
"default-src 'self'",
|
|
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
|
|
"style-src 'self' 'unsafe-inline'",
|
|
"img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
|
|
"font-src 'self'",
|
|
"connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
|
|
"frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
|
|
"base-uri 'self'",
|
|
"form-action 'self'",
|
|
].join('; ')
|
|
}
|
|
}
|
|
|
|
for (const [key, value] of Object.entries(headers)) {
|
|
setHeader(event, key, value)
|
|
}
|
|
})
|