chore: add security headers (langfuse#473)

Author: marcklingen

next.config.mjs

@@ -6,6 +6,26 @@ const withBundleAnalyzer = NextBundleAnalyzer({
   enabled: process.env.ANALYZE === 'true',
 })
 
+/**
+ * CSP headers
+ * img-src https to allow loading images from SSO providers
+ */
+const cspHeader = `
+  default-src 'self' https: wss:;
+  script-src 'self' 'unsafe-eval' 'unsafe-inline' https:;
+  style-src 'self' 'unsafe-inline' https:;
+  img-src 'self' https: blob: data:;
+  font-src 'self' https:;
+  frame-src 'self' https:;
+  worker-src 'self' blob:;
+  object-src 'none';
+  base-uri 'self';
+  form-action 'self';
+  frame-ancestors 'none';
+  upgrade-insecure-requests;
+  block-all-mixed-content;
+`;
+
 // nextra config
 const withNextra = nextra({
   theme: 'nextra-theme-docs',
@@ -36,6 +56,40 @@ const nextraConfig = withNextra({
       },
     ],
   },
+  headers() {
+    return [
+      {
+        source: "/:path*",
+        headers: [
+          {
+            key: "x-frame-options",
+            value: "SAMEORIGIN",
+          },
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "Referrer-Policy",
+            value: "strict-origin-when-cross-origin",
+          },
+          {
+            key: "Permissions-Policy",
+            value: "autoplay=*, fullscreen=*, microphone=*",
+          },
+        ],
+      },
+      {
+        source: "/:path((?!api).*)*",
+        headers: [
+          {
+            key: "Content-Security-Policy",
+            value: cspHeader.replace(/\n/g, ""),
+          },
+        ],
+      },
+    ]
+  },
   redirects: async () => [
     ...nonPermanentRedirects.map(([source, destination]) => ({
       source,