diff --git a/app/api/hello/route.ts b/app/api/hello/route.ts deleted file mode 100644 index 48fee317d..000000000 --- a/app/api/hello/route.ts +++ /dev/null @@ -1,5 +0,0 @@ -export async function GET(request: Request) { - return new Response('Blood frontend server running...', { - status: 200, - }); -} diff --git a/components/common/Carousel.tsx b/components/common/Carousel.tsx index d25dbefb7..92a7f2748 100644 --- a/components/common/Carousel.tsx +++ b/components/common/Carousel.tsx @@ -128,7 +128,6 @@ const CustomDots = ({ carouselTheme = 'primary' }: { carouselTheme: 'primary' | const Carousel = (props: CarouselProps) => { const { items, title = 'carousel', theme = 'primary' } = props; - console.log('calc', items.length % 3 === 1); return ( { {title} - {getIntroduction()} + {getIntroduction()} {progressStatus && } {cta && {cta}} diff --git a/lib/utils/hasAutomaticAccessCodeFeature.test.ts b/lib/utils/hasAutomaticAccessCodeFeature.test.ts index c0dac2ccd..bcc588cde 100644 --- a/lib/utils/hasAutomaticAccessCodeFeature.test.ts +++ b/lib/utils/hasAutomaticAccessCodeFeature.test.ts @@ -6,6 +6,7 @@ const partnerData = { id: 'partner', name: 'partnerName', partnerFeature: [], + isActive: true, } as Partner; const accessCodePartnerFeature = { diff --git a/next.config.js b/next.config.js index 772e782ed..927f6d48f 100644 --- a/next.config.js +++ b/next.config.js @@ -125,15 +125,15 @@ module.exports = withBundleAnalyzer( // form-action: Restricts form actions to the same origin. // frame-ancestors: Restricts embedding to the same origin. async headers() { - const headers = [ + return [ { source: '/:path', headers: [ { - key: 'Content-Security-Policy-Report-Only', // Leaving this as report only until we have caught all the CSP violations + key: 'Content-Security-Policy', value: ` default-src 'self'; - script-src 'self' 'unsafe-eval' 'unsafe-inline' ${scriptSrcUrls.join(' ')}; + script-src 'self' 'unsafe-inline' ${scriptSrcUrls.join(' ')}; child-src 'self' blob:; worker-src 'self' ${workerSrcUrls.join(' ')}; style-src 'self' 'unsafe-inline' ${styleSrcUrls.join(' ')}; @@ -145,30 +145,47 @@ module.exports = withBundleAnalyzer( base-uri 'self'; form-action 'self'; frame-ancestors 'self'; + upgrade-insecure-requests; ` .replace(/\s{2,}/g, ' ') .trim(), }, { key: 'Referrer-Policy', - value: 'origin-when-cross-origin', + value: 'strict-origin-when-cross-origin', }, { key: 'X-Content-Type-Options', value: 'nosniff', }, + { + key: 'X-Frame-Options', + value: 'DENY', + }, + { + key: 'X-XSS-Protection', + value: '1; mode=block', + }, + { + key: 'Permissions-Policy', + value: + 'camera=(), microphone=(), geolocation=(), usb=(), bluetooth=(), payment=(), accelerometer=(), gyroscope=(), magnetometer=(), ambient-light-sensor=(), autoplay=()', + }, + { + key: 'Cross-Origin-Opener-Policy', + value: 'same-origin-allow-popups', + }, + ...(process.env.NODE_ENV === 'production' + ? [ + { + key: 'Strict-Transport-Security', + value: 'max-age=31536000; includeSubDomains; preload', + }, + ] + : []), ], }, ]; - // This enforces HTTPS for all requests so we don't want this for local development - if (process.env.NODE_ENV === 'production') { - headers[0].headers.push({ - key: 'Strict-Transport-Security', - value: 'max-age=31536000; includeSubDomains; preload', - }); - } - - return headers; }, }), ), diff --git a/scriptUrls.js b/scriptUrls.js index 48788a69b..5b51ad157 100644 --- a/scriptUrls.js +++ b/scriptUrls.js @@ -17,6 +17,7 @@ const scriptSrcUrls = [ 'https://*.hotjar.io', 'https://*.rollbar.com', 'https://*.simplybook.it', + 'https://widget.simplybook.it', 'https://*.zapier.com', 'https://fonts.googleapis.com', 'https://static.hotjar.com', @@ -69,7 +70,8 @@ const connectSrcUrls = [ 'https://noembed.com', 'https://*.youtube.com', 'https://www.youtube.com', - process.env.NEXT_PUBLIC_API_BASE_URL, //new env by niksanand1717 + ...(process.env.NODE_ENV === 'development' ? ['http://localhost:35001'] : []), + process.env.NEXT_PUBLIC_API_BASE_URL, ]; const frameSrcUrls = [ 'https://*.hotjar.com',