From d5d25fa0fe7ca5ac5a4a05f6a8e21d8e44756032 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuel=20H=C3=B6ra?= <samuel@hoera.dev>
Date: Fri, 29 Apr 2022 11:07:48 +0200
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20added=20security=20?=
 =?UTF-8?q?headers?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 next.config.js | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 vercel.json    | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 85 insertions(+)

diff --git a/next.config.js b/next.config.js
index abe5a41f..1d760105 100644
--- a/next.config.js
+++ b/next.config.js
@@ -21,6 +21,52 @@ const nextConfig = {
   images: {
     domains: ["cdn.discordapp.com", "media.discordapp.net"],
   },
+  async headers() {
+    return [
+      {
+        source: "/:path*",
+        headers: [
+          {
+            key: "X-DNS-Prefetch-Control",
+            value: "on"
+          },
+          {
+            key: "Strict-Transport-Security",
+            value: "max-age=63072000; includeSubDomains; preload"
+          },
+          {
+            key: "X-XSS-Protection",
+            value: "1; mode=block"
+          },
+          {
+            key: "X-Frame-Options",
+            value: "SAMEORIGIN"
+          },
+          {
+            key: "Permissions-Policy",
+            value: ""
+          },
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff"
+          },
+          {
+            key: "Referrer-Policy",
+            value: "same-origin"
+          },
+          {
+            key: "Content-Security-Policy",
+            value: `
+              default-src 'none';
+              script-src 'self' statistics.helo-system.de;
+              style-src 'self';
+              font-src 'self';
+            `
+          }
+        ],
+      },
+    ]
+  },
 };
 
 module.exports = nextConfig;
diff --git a/vercel.json b/vercel.json
index 29d1aed7..bb726c90 100644
--- a/vercel.json
+++ b/vercel.json
@@ -4,5 +4,44 @@
       "source": "/api/:path*",
       "destination": "http://api.helo-system.de/:path*"
     }
+  ],
+  "headers": [
+    {
+      "source": "/:path*",
+      "headers": [
+        {
+          "key": "X-DNS-Prefetch-Control",
+          "value": "on"
+        },
+        {
+          "key": "Strict-Transport-Security",
+          "value": "max-age=63072000; includeSubDomains; preload"
+        },
+        {
+          "key": "X-XSS-Protection",
+          "value": "1; mode=block"
+        },
+        {
+          "key": "X-Frame-Options",
+          "value": "SAMEORIGIN"
+        },
+        {
+          "key": "Permissions-Policy",
+          "value": ""
+        },
+        {
+          "key": "X-Content-Type-Options",
+          "value": "nosniff"
+        },
+        {
+          "key": "Referrer-Policy",
+          "value": "same-origin"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'none'; script-src 'self' statistics.helo-system.de; style-src 'self'; font-src 'self';"
+        }
+      ]
+    }
   ]
 }

From c643fad055339c700be7f0f14749f757f72d6e24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuel=20H=C3=B6ra?= <samuel@hoera.dev>
Date: Fri, 29 Apr 2022 11:33:02 +0200
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=92=EF=B8=8Fadded=20Permissions-Po?=
 =?UTF-8?q?licy=20header?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 next.config.js | 4 ++++
 vercel.json    | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/next.config.js b/next.config.js
index 1d760105..5287a8b9 100644
--- a/next.config.js
+++ b/next.config.js
@@ -62,6 +62,10 @@ const nextConfig = {
               style-src 'self';
               font-src 'self';
             `
+          },
+          {
+            "key":"Permissions-Policy",
+            "value":"Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()"
           }
         ],
       },
diff --git a/vercel.json b/vercel.json
index bb726c90..8ee086f7 100644
--- a/vercel.json
+++ b/vercel.json
@@ -40,6 +40,10 @@
         {
           "key": "Content-Security-Policy",
           "value": "default-src 'none'; script-src 'self' statistics.helo-system.de; style-src 'self'; font-src 'self';"
+        },
+        {
+          "key":"Permissions-Policy",
+          "value":"Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()"
         }
       ]
     }