fix: csp fixes

* fix: analytics req

* fix: for now i must disable this

* fix: tmp disable

Author: qamarq

backend/config/shield.ts

@@ -16,9 +16,9 @@ const shieldConfig = defineConfig({
    * to learn more
    */
   csrf: {
-    enabled: true,
+    enabled: false,
     exceptRoutes: ["/user/login"],
-    enableXsrfCookie: true,
+    enableXsrfCookie: false,
     methods: ["POST", "PUT", "PATCH", "DELETE"],
   },
 

frontend/src/middleware.ts

@@ -6,7 +6,7 @@ import { auth } from "./lib/auth";
 export async function middleware(request: NextRequest) {
   const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
   const cspHeader = `
-    default-src 'self' 'nonce-${nonce}' https://fonts.googleapis.com https://fonts.gstatic.com ${process.env.NODE_ENV === "development" ? "'unsafe-eval'" : ""};
+    default-src 'self' 'nonce-${nonce}' https://fonts.googleapis.com https://fonts.gstatic.com https://analytics.solvro.pl;
     script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${process.env.NODE_ENV === "development" ? "'unsafe-eval'" : ""} https://analytics.solvro.pl;
     style-src 'self' 'nonce-${nonce}';
     img-src 'self' blob: data: https://avatars.githubusercontent.com https://wit.pwr.edu.pl https://cms.solvro.pl https://apps.usos.pwr.edu.pl;