🐛 fix: add Content-Security-Policy env (#8752)

* fix: add Content-Security-Policy * feat: add env to control csp open or not * update env
2026-04-21 17:47:27 +00:00 · 2025-08-29 05:14:04 -04:00 · 2025-08-29 05:14:04 -04:00 · 9250540912
commit 9250540912
parent 0220e81a92
2 changed files with 30 additions and 6 deletions
--- a/.env.example
+++ b/.env.example
@ -4,6 +4,14 @@
 # Specify your API Key selection method, currently supporting `random` and `turn`.
 # API_KEY_SELECT_MODE=random

+########################################
+########### Security Settings ###########
+########################################
+
+# Control Content Security Policy headers
+# Set to '1' to enable X-Frame-Options and Content-Security-Policy headers
+# Default is '0' (enabled)
+# ENABLED_CSP=1

 ########################################
 ########## AI Provider Service #########
--- a/next.config.ts
+++ b/next.config.ts
@ -9,6 +9,7 @@ const buildWithDocker = process.env.DOCKER === 'true';
 const isDesktop = process.env.NEXT_PUBLIC_IS_DESKTOP_APP === '1';
 const enableReactScan = !!process.env.REACT_SCAN_MONITOR_API_KEY;
 const isUsePglite = process.env.NEXT_PUBLIC_CLIENT_DB === 'pglite';
+const shouldUseCSP = process.env.ENABLED_CSP === '1';

 // if you need to proxy the api endpoint to remote server

@ -41,14 +42,29 @@ const nextConfig: NextConfig = {
    webVitalsAttribution: ['CLS', 'LCP'],
  },
  async headers() {
+    const securityHeaders = [
+      {
+        key: 'x-robots-tag',
+        value: 'all',
+      },
+    ];
+
+    if (shouldUseCSP) {
+      securityHeaders.push(
+        {
+          key: 'X-Frame-Options',
+          value: 'DENY',
+        },
+        {
+          key: 'Content-Security-Policy',
+          value: "frame-ancestors 'none';",
+        },
+      );
+    }
+
    return [
      {
-        headers: [
-          {
-            key: 'x-robots-tag',
-            value: 'all',
-          },
-        ],
+        headers: securityHeaders,
        source: '/:path*',
      },
      {