fix(csp): mover CSP para proxy.ts para leitura em runtime

Content-Security-Policy estava em next.config.ts (build time), então S3_ENDPOINT nunca era incluído no connect-src ao buildar via Docker no CI. Movido para proxy.ts que avalia em runtime. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-09 11:01:45 +00:00 · 2026-04-07 13:49:23 +00:00
parent 27e3ba5f0d
commit 43697b4fd2
4 changed files with 42 additions and 16 deletions
--- a/next.config.ts
+++ b/next.config.ts
@@ -4,8 +4,6 @@ import type { NextConfig } from "next";
 // Carregar variáveis de ambiente explicitamente
 dotenv.config();

-const isDev = process.env.NODE_ENV === "development";
-
 const nextConfig: NextConfig = {
 	output: "standalone",
 	cacheComponents: true,
@@ -44,18 +42,6 @@ const nextConfig: NextConfig = {
 						key: "X-Frame-Options",
 						value: "DENY",
 					},
-					{
-						key: "Content-Security-Policy",
-						value: [
-							"default-src 'self'",
-							`script-src 'self' 'unsafe-inline'${isDev ? " 'unsafe-eval'" : ""} https://umami.felipecoutinho.com`,
-							"style-src 'self' 'unsafe-inline'",
-							"img-src 'self' https://lh3.googleusercontent.com data: blob:",
-							"font-src 'self'",
-							`connect-src 'self' https://umami.felipecoutinho.com ${process.env.S3_ENDPOINT ? new URL(process.env.S3_ENDPOINT).origin : ""}`.trim(),
-							"frame-ancestors 'none'",
-						].join("; "),
-					},
 					{
 						key: "Referrer-Policy",
 						value: "strict-origin-when-cross-origin",