Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions moon/apps/web/next.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ const cspResourcesByDirective = {
'wss://*.gitmono.com',
'wss://*.gitmega.com',
'https://*.gitmega.com',
'ws://*.gitmega.com',

Copilot AI Jul 29, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding insecure WebSocket (ws://) connections in CSP creates a security vulnerability as these connections are unencrypted and susceptible to man-in-the-middle attacks. Consider using a development-only conditional check similar to line 44, or restrict this to specific development domains.

Suggested change
'ws://*.gitmega.com',
process.env.NODE_ENV !== 'production' && 'ws://*.gitmega.com',

Copilot uses AI. Check for mistakes.
'http://*.gitmega.com',

Copilot AI Jul 29, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding insecure HTTP connections in CSP creates a security vulnerability as these connections are unencrypted and susceptible to man-in-the-middle attacks. Consider using a development-only conditional check similar to line 44, or restrict this to specific development domains.

Suggested change
'http://*.gitmega.com',
process.env.NODE_ENV !== 'production' && 'http://*.gitmega.com',

Copilot uses AI. Check for mistakes.
'http://*.gitmono.test:3001',
'http://*.gitmono.test:8000',
process.env.NODE_ENV !== 'production' && 'https://api.gitmega.com',
Expand Down