dify/web/middleware.ts at main · langgenius/dify · GitHub

Name: dify/web/middleware.ts at main · langgenius/dify · GitHub
Rating: 4.5 (4419 reviews)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
importtype{NextRequest}from'next/server'
import{NextResponse}from'next/server'

constNECESSARY_DOMAIN='*.sentry.io http://localhost:* http://127.0.0.1:* https://analytics.google.com googletagmanager.com *.googletagmanager.com https://www.google-analytics.com https://api.github.com'

constwrapResponseWithXFrameOptions=(response: NextResponse,pathname: string)=>{
// prevent clickjacking: https://owasp.org/www-community/attacks/Clickjacking
// Chatbot page should be allowed to be embedded in iframe. It's a feature
if(process.env.NEXT_PUBLIC_ALLOW_EMBED!=='true'&&!pathname.startsWith('/chat')&&!pathname.startsWith('/workflow')&&!pathname.startsWith('/completion'))
response.headers.set('X-Frame-Options','DENY')

returnresponse
}
exportfunctionmiddleware(request: NextRequest){
const{ pathname }=request.nextUrl
constrequestHeaders=newHeaders(request.headers)
constresponse=NextResponse.next({
request: {
headers: requestHeaders,
},
})

constisWhiteListEnabled=!!process.env.NEXT_PUBLIC_CSP_WHITELIST&&process.env.NODE_ENV==='production'
if(!isWhiteListEnabled)
returnwrapResponseWithXFrameOptions(response,pathname)

constwhiteList=`${process.env.NEXT_PUBLIC_CSP_WHITELIST}${NECESSARY_DOMAIN}`
constnonce=Buffer.from(crypto.randomUUID()).toString('base64')
constcsp=`'nonce-${nonce}'`

constscheme_source='data: mediastream: blob: filesystem:'

constcspHeader=`
 default-src 'self' ${scheme_source}${csp}${whiteList};
 connect-src 'self' ${scheme_source}${csp}${whiteList};
 script-src 'self' ${scheme_source}${csp}${whiteList};
 style-src 'self' 'unsafe-inline' ${scheme_source}${whiteList};
 worker-src 'self' ${scheme_source}${csp}${whiteList};
 media-src 'self' ${scheme_source}${csp}${whiteList};
 img-src 'self' ${scheme_source}${csp}${whiteList};
 font-src 'self';
 object-src 'none';
 base-uri 'self';
 form-action 'self';
 upgrade-insecure-requests;
`
// Replace newline characters and spaces
constcontentSecurityPolicyHeaderValue=cspHeader
.replace(/\s{2,}/g,' ')
.trim()

requestHeaders.set('x-nonce',nonce)

requestHeaders.set(
'Content-Security-Policy',
contentSecurityPolicyHeaderValue,
)

response.headers.set(
'Content-Security-Policy',
contentSecurityPolicyHeaderValue,
)

returnwrapResponseWithXFrameOptions(response,pathname)
}

exportconstconfig={
matcher: [
/*
 * Match all request paths except for the ones starting with:
 * - api (API routes)
 * - _next/static (static files)
 * - _next/image (image optimization files)
 * - favicon.ico (favicon file)
 */
{
// source: '/((?!api|_next/static|_next/image|favicon.ico).*)',
source: '/((?!_next/static|_next/image|favicon.ico).*)',
// source: '/(.*)',
// missing: [
// { type: 'header', key: 'next-router-prefetch' },
// { type: 'header', key: 'purpose', value: 'prefetch' },
// ],
},
],
}