Function configureSecurityHeaders

  • configureSecurityHeaders(): void

    Configures Content Security Policy headers for all web requests. Complements the CSP meta tag in index.html with additional security. In development (app not packaged), relaxes connect-src to allow WebSocket and Vite dev server.

    Returns void

    Remarks

    Called during app initialization to set up security headers.

    Source

    function configureSecurityHeaders() {
      return withGroup(`[Main] Configure Security Headers`, () => {
        console.info("[Main] 🔒 Setting up Content Security Policy headers...");

        // Determine if we're in development mode
        const isDevMode = !app.isPackaged;

        // Set CSP headers for all requests
        // Reference: docs/guides/SECURITY.md for CSP policy source of truth
        session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
          // Build CSP directives based on environment
          const connectSrcDirectives = isDevMode
            ? "connect-src 'self' https://graphql.anilist.co https://api.mangadex.org https://api.comick.fun https://api.github.com ws: http://localhost:*;"
            : "connect-src 'self' https://graphql.anilist.co https://api.mangadex.org https://api.comick.fun https://api.github.com;";

          // Allow inline scripts in development (Vite HMR injects small inline scripts).
          // Production remains strict (no 'unsafe-inline').
          const scriptSrcDirective = isDevMode
            ? "script-src 'self' 'unsafe-inline';"
            : "script-src 'self';";

          callback({
            responseHeaders: {
              ...details.responseHeaders,
              "Content-Security-Policy": [
                "default-src 'self';",
                scriptSrcDirective,
                "style-src 'self' 'unsafe-inline';",
                "img-src 'self' data: https:;",
                "font-src 'self' data:;",
                connectSrcDirectives,
                "object-src 'none';",
                "base-uri 'self';",
                "form-action 'none';",
                "frame-ancestors 'none';",
                "upgrade-insecure-requests;",
              ].join(" "),
            },
          });
        });

        if (isDevMode) {
          console.info(
            "[Main] ℹī¸ CSP configured in development mode (WebSocket + Vite dev server allowed)",
          );
        } else {
          console.info("[Main] ✅ CSP headers configured for production");
        }
      });
    }

Settings

Member Visibility