OpenSource
/
dify
Suivre 4
Ajouter aux favoris 0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 152 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
5927 Révisions
4 Branches
Aborescence: 157d916154
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '157d916154'
${ noResults }
dify/web/middleware.ts

middleware.ts 2.9KB
Brut Annotations Historique

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. import type { NextRequest } from 'next/server'

  2. import { NextResponse } from 'next/server'

  3. 

  4. const NECESSARY_DOMAIN = '*.sentry.io http://localhost:* http://127.0.0.1:* https://analytics.google.com googletagmanager.com *.googletagmanager.com https://www.google-analytics.com https://api.github.com'

  5. 

  6. const wrapResponseWithXFrameOptions = (response: NextResponse, pathname: string) => {

  7.   // prevent clickjacking: https://owasp.org/www-community/attacks/Clickjacking

  8.   // Chatbot page should be allowed to be embedded in iframe. It's a feature

  9.   if (process.env.NEXT_PUBLIC_ALLOW_EMBED !== 'true' && !pathname.startsWith('/chat') && !pathname.startsWith('/workflow') && !pathname.startsWith('/completion') && !pathname.startsWith('/webapp-signin'))

  10.     response.headers.set('X-Frame-Options', 'DENY')

  11. 

  12.   return response

  13. }

  14. export function middleware(request: NextRequest) {

  15.   const { pathname } = request.nextUrl

  16.   const requestHeaders = new Headers(request.headers)

  17.   const response = NextResponse.next({

  18.     request: {

  19.       headers: requestHeaders,

  20.     },

  21.   })

  22. 

  23.   const isWhiteListEnabled = !!process.env.NEXT_PUBLIC_CSP_WHITELIST && process.env.NODE_ENV === 'production'

  24.   if (!isWhiteListEnabled)

  25.     return wrapResponseWithXFrameOptions(response, pathname)

  26. 

  27.   const whiteList = `${process.env.NEXT_PUBLIC_CSP_WHITELIST} ${NECESSARY_DOMAIN}`

  28.   const nonce = Buffer.from(crypto.randomUUID()).toString('base64')

  29.   const csp = `'nonce-${nonce}'`

  30. 

  31.   const scheme_source = 'data: mediastream: blob: filesystem:'

  32. 

  33.   const cspHeader = `

  34.     default-src 'self' ${scheme_source} ${csp} ${whiteList};

  35.     connect-src 'self' ${scheme_source} ${csp} ${whiteList};

  36.     script-src 'self' ${scheme_source} ${csp} ${whiteList};

  37.     style-src 'self' 'unsafe-inline' ${scheme_source} ${whiteList};

  38.     worker-src 'self' ${scheme_source} ${csp} ${whiteList};

  39.     media-src 'self' ${scheme_source} ${csp} ${whiteList};

  40.     img-src * data: blob:;

  41.     font-src 'self';

  42.     object-src 'none';

  43.     base-uri 'self';

  44.     form-action 'self';

  45.     upgrade-insecure-requests;

  46. `

  47.   // Replace newline characters and spaces

  48.   const contentSecurityPolicyHeaderValue = cspHeader

  49.     .replace(/\s{2,}/g, ' ')

  50.     .trim()

  51. 

  52.   requestHeaders.set('x-nonce', nonce)

  53. 

  54.   requestHeaders.set(

  55.     'Content-Security-Policy',

  56.     contentSecurityPolicyHeaderValue,

  57.   )

  58. 

  59.   return wrapResponseWithXFrameOptions(response, pathname)

  60. }

  61. 

  62. export const config = {

  63.   matcher: [

  64.     /*

  65.      * Match all request paths except for the ones starting with:

  66.      * - api (API routes)

  67.      * - _next/static (static files)

  68.      * - _next/image (image optimization files)

  69.      * - favicon.ico (favicon file)

  70.      */

  71.     {

  72.       // source: '/((?!api|_next/static|_next/image|favicon.ico).*)',

  73.       source: '/((?!_next/static|_next/image|favicon.ico).*)',

  74.       // source: '/(.*)',

  75.       // missing: [

  76.       //   { type: 'header', key: 'next-router-prefetch' },

  77.       //   { type: 'header', key: 'purpose', value: 'prefetch' },

  78.       // ],

  79.     },

  80.   ],

  81. }