public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enforce CSP on /login as well (#11610)

pull/11611/head
Hariom Balhara 2023-09-29 16:20:15 +05:30 committed by GitHub
parent cf43d9dcfc
commit c22d406d12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/web/middleware.ts
View File

@ -40,7 +40,7 @@ const middleware: NextMiddleware = async (req) => {
requestHeaders.set("x-cal-timezone", req.headers.get("x-vercel-ip-timezone") ?? ""); requestHeaders.set("x-cal-timezone", req.headers.get("x-vercel-ip-timezone") ?? "");
} }
if (url.pathname.startsWith("/auth/login")) { if (url.pathname.startsWith("/auth/login") || url.pathname.startsWith("/login")) {
// Use this header to actually enforce CSP, otherwise it is running in Report Only mode on all pages. // Use this header to actually enforce CSP, otherwise it is running in Report Only mode on all pages.
requestHeaders.set("x-csp-enforce", "true"); requestHeaders.set("x-csp-enforce", "true");
} }
@ -68,6 +68,7 @@ export const config = {
matcher: [ matcher: [
"/:path*/embed", "/:path*/embed",
"/api/trpc/:path*", "/api/trpc/:path*",
"/login",
"/auth/login", "/auth/login",
/** /**
* Paths required by routingForms.handle * Paths required by routingForms.handle