OpenSource
/
dify
关注 4
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 152 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
6441 提交
4 分支
分支: Hacked_1.7.0
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'Hacked_1.7.0'
${ noResults }
dify/web/middleware.ts

middleware.ts 3.0KB
原始文件 永久链接 Blame 文件历史

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 
  1. import type { NextRequest } from 'next/server'

  2. import { NextResponse } from 'next/server'

  3. 

  4. const NECESSARY_DOMAIN = '*.sentry.io http://localhost:* http://127.0.0.1:* https://analytics.google.com googletagmanager.com *.googletagmanager.com https://www.google-analytics.com https://api.github.com'

  5. 

  6. const wrapResponseWithXFrameOptions = (response: NextResponse, pathname: string) => {

  7.   // prevent clickjacking: https://owasp.org/www-community/attacks/Clickjacking

  8.   // Chatbot page should be allowed to be embedded in iframe. It's a feature

  9.   if (process.env.NEXT_PUBLIC_ALLOW_EMBED !== 'true' && !pathname.startsWith('/chat') && !pathname.startsWith('/workflow') && !pathname.startsWith('/completion') && !pathname.startsWith('/webapp-signin'))

  10.     response.headers.set('X-Frame-Options', 'DENY')

  11. 

  12.   return response

  13. }

  14. export function middleware(request: NextRequest) {

  15.   const { pathname } = request.nextUrl

  16.   const requestHeaders = new Headers(request.headers)

  17.   const response = NextResponse.next({

  18.     request: {

  19.       headers: requestHeaders,

  20.     },

  21.   })

  22. 

  23.   const isWhiteListEnabled = !!process.env.NEXT_PUBLIC_CSP_WHITELIST && process.env.NODE_ENV === 'production'

  24.   if (!isWhiteListEnabled)

  25.     return wrapResponseWithXFrameOptions(response, pathname)

  26. 

  27.   const whiteList = `${process.env.NEXT_PUBLIC_CSP_WHITELIST} ${NECESSARY_DOMAIN}`

  28.   const nonce = Buffer.from(crypto.randomUUID()).toString('base64')

  29.   const csp = `'nonce-${nonce}'`

  30. 

  31.   const scheme_source = 'data: mediastream: blob: filesystem:'

  32. 

  33.   const cspHeader = `

  34.     default-src 'self' ${scheme_source} ${csp} ${whiteList};

  35.     connect-src 'self' ${scheme_source} ${csp} ${whiteList};

  36.     script-src 'self' ${scheme_source} ${csp} ${whiteList};

  37.     style-src 'self' 'unsafe-inline' ${scheme_source} ${whiteList};

  38.     worker-src 'self' ${scheme_source} ${csp} ${whiteList};

  39.     media-src 'self' ${scheme_source} ${csp} ${whiteList};

  40.     img-src * data: blob:;

  41.     font-src 'self';

  42.     object-src 'none';

  43.     base-uri 'self';

  44.     form-action 'self';

  45.     upgrade-insecure-requests;

  46. `

  47.   // Replace newline characters and spaces

  48.   const contentSecurityPolicyHeaderValue = cspHeader

  49.     .replace(/\s{2,}/g, ' ')

  50.     .trim()

  51. 

  52.   requestHeaders.set('x-nonce', nonce)

  53. 

  54.   requestHeaders.set(

  55.     'Content-Security-Policy',

  56.     contentSecurityPolicyHeaderValue,

  57.   )

  58. 

  59.   response.headers.set(

  60.     'Content-Security-Policy',

  61.     contentSecurityPolicyHeaderValue,

  62.   )

  63. 

  64.   return wrapResponseWithXFrameOptions(response, pathname)

  65. }

  66. 

  67. export const config = {

  68.   matcher: [

  69.     /*

  70.      * Match all request paths except for the ones starting with:

  71.      * - api (API routes)

  72.      * - _next/static (static files)

  73.      * - _next/image (image optimization files)

  74.      * - favicon.ico (favicon file)

  75.      */

  76.     {

  77.       // source: '/((?!api|_next/static|_next/image|favicon.ico).*)',

  78.       source: '/((?!_next/static|_next/image|favicon.ico).*)',

  79.       // source: '/(.*)',

  80.       // missing: [

  81.       //   { type: 'header', key: 'next-router-prefetch' },

  82.       //   { type: 'header', key: 'purpose', value: 'prefetch' },

  83.       // ],

  84.     },

  85.   ],

  86. }