add CSP env var to set a custom Content-Security-Policy header value

2025-10-19 17:59:28 +08:00 · 2024-09-24 15:22:47 -04:00
parent 2d670c585d
commit f350d61ee2
2 changed files with 10 additions and 7 deletions
--- a/beszel/internal/hub/hub.go
+++ b/beszel/internal/hub/hub.go
@@ -90,7 +90,7 @@ func (h *Hub) Run() {
 		return nil
 	})

-	// serve site
+	// serve web ui
 	h.app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
 		switch isGoRun {
 		case true:
@@ -98,12 +98,17 @@ func (h *Hub) Run() {
 				Scheme: "http",
 				Host:   "localhost:5173",
 			})
-			e.Router.GET("/static/*", apis.StaticDirectoryHandler(os.DirFS("../../site/public/static"), false))
 			e.Router.Any("/*", echo.WrapHandler(proxy))
-			// e.Router.Any("/", echo.WrapHandler(proxy))
 		default:
-			e.Router.GET("/static/*", apis.StaticDirectoryHandler(site.Static, false))
-			e.Router.Any("/*", apis.StaticDirectoryHandler(site.Dist, true))
+			csp, cspExists := os.LookupEnv("CSP")
+			e.Router.Any("/*", func(c echo.Context) error {
+				if cspExists {
+					c.Response().Header().Del("X-Frame-Options")
+					c.Response().Header().Set("Content-Security-Policy", csp)
+				}
+				indexFallback := !strings.HasPrefix(c.Request().URL.Path, "/static/")
+				return apis.StaticDirectoryHandler(site.Dist, indexFallback)(c)
+			})
 		}
 		return nil
 	})
--- a/beszel/site/embed.go
+++ b/beszel/site/embed.go
@@ -11,5 +11,3 @@ import (
 var assets embed.FS

 var Dist = echo.MustSubFS(assets, "dist")
-
-var Static = echo.MustSubFS(assets, "dist/static")