fix: add some security headers to nginx (#236)

Author: langchain-infra

charts/langsmith/Chart.yaml

@@ -5,5 +5,5 @@ maintainers:
     email: [email protected]
 description: Helm chart to deploy the langsmith application and all services it depends on.
 type: application
-version: 0.9.18
+version: 0.9.19
 appVersion: "0.9.52"

charts/langsmith/templates/frontend/config-map.yaml

@@ -29,6 +29,10 @@ data:
         proxy_connect_timeout {{ .Values.frontend.proxyConnectTimeout }};
         proxy_send_timeout {{ .Values.frontend.proxyWriteTimeout }};
 
+        add_header Content-Security-Policy "frame-ancestors 'self'; object-src 'none'" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
         error_page   500 502 503 504  /50x.html;
         location = /50x.html {
@@ -212,6 +216,11 @@ data:
         proxy_connect_timeout {{ .Values.frontend.proxyConnectTimeout }};
         proxy_send_timeout {{ .Values.frontend.proxyWriteTimeout }};
 
+        add_header Content-Security-Policy "frame-ancestors 'self'; object-src 'none'" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
         location / {
             root   /tmp/build;
             index  index.html index.htm;