Skip to content

Commit

Permalink
Revert "chore: add CORS"
Browse files Browse the repository at this point in the history
This reverts commit 23c6d3e.
  • Loading branch information
ruchernchong committed Dec 1, 2024
1 parent ba75497 commit abce734
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 86 deletions.
40 changes: 0 additions & 40 deletions middleware.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,6 @@ import { DOMAIN_NAME } from "@/config";
export const middleware = (request: NextRequest) => {
const nonce = Buffer.from(crypto.randomUUID()).toString("base64");

// Define allowed origins including Vercel deployment URLs
const VERCEL_URL = process.env.VERCEL_URL;
const allowedOrigins = [
`https://${DOMAIN_NAME}`,
...(VERCEL_URL ? [`https://${VERCEL_URL}`] : []),
process.env.NODE_ENV === "development" ? "http://localhost:3000" : "",
].filter(Boolean);

const origin = request.headers.get("origin");

const cspHeader = `
default-src 'self';
script-src 'self' 'unsafe-inline' *.${DOMAIN_NAME} *.vercel-scripts.com *.googletagmanager.com;
Expand All @@ -39,38 +29,8 @@ export const middleware = (request: NextRequest) => {
headers: requestHeaders,
},
});

// Set security headers
response.headers.set("Content-Security-Policy", cspHeader);

// Set CORS headers only if origin is in allowed list
if (origin && allowedOrigins.includes(origin)) {
response.headers.set("Access-Control-Allow-Origin", origin);
response.headers.set("Access-Control-Allow-Credentials", "true");
response.headers.set(
"Access-Control-Allow-Methods",
"GET,HEAD,POST,OPTIONS",
);
response.headers.set(
"Access-Control-Allow-Headers",
"X-Requested-With,Content-Type,Authorization",
);
}

// Additional security headers
response.headers.set("X-DNS-Prefetch-Control", "on");
response.headers.set(
"Strict-Transport-Security",
"max-age=63072000; includeSubDomains; preload",
);
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set("X-Frame-Options", "SAMEORIGIN");
response.headers.set(
"Permissions-Policy",
"camera=(), microphone=(), geolocation=()",
);

return response;
};

Expand Down
47 changes: 1 addition & 46 deletions next.config.ts
Original file line number Diff line number Diff line change
@@ -1,17 +1,9 @@
import type { NextConfig } from "next";
import { withContentlayer } from "next-contentlayer2";
import { DOMAIN_NAME } from "@/config";

const nextConfig: NextConfig = {
reactStrictMode: true,
async headers() {
const VERCEL_URL = process.env.VERCEL_URL;
const allowedOrigins = [
`https://${DOMAIN_NAME}`,
...(VERCEL_URL ? [`https://${VERCEL_URL}`] : []),
process.env.NODE_ENV === "development" ? "http://localhost:3000" : "",
].filter(Boolean);

return [
{
source: "/(.*)",
Expand Down Expand Up @@ -42,44 +34,7 @@ const nextConfig: NextConfig = {
},
{
key: "Referrer-Policy",
value: "strict-origin-when-cross-origin",
},
{
key: "Access-Control-Allow-Origin",
value: allowedOrigins.join(","),
},
{
key: "Access-Control-Allow-Methods",
value: "GET,HEAD,POST,OPTIONS",
},
{
key: "Access-Control-Allow-Headers",
value: "X-Requested-With,Content-Type,Authorization",
},
{
key: "Access-Control-Allow-Credentials",
value: "true",
},
],
},
{
source: "/api/(.*)",
headers: [
{
key: "Access-Control-Allow-Origin",
value: allowedOrigins.join(","),
},
{
key: "Access-Control-Allow-Methods",
value: "GET,HEAD,POST,PUT,DELETE,OPTIONS",
},
{
key: "Access-Control-Allow-Headers",
value: "X-Requested-With,Content-Type,Authorization",
},
{
key: "Access-Control-Allow-Credentials",
value: "true",
value: "origin-when-cross-origin",
},
],
},
Expand Down

0 comments on commit abce734

Please sign in to comment.