-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
85 lines (74 loc) · 2.34 KB
/
Copy pathmiddleware.ts
File metadata and controls
85 lines (74 loc) · 2.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import { NextResponse, type NextRequest } from 'next/server';
function generateNonce() {
const bytes = new Uint8Array(16);
crypto.getRandomValues(bytes);
let binary = '';
for (const byte of bytes) {
binary += String.fromCharCode(byte);
}
return btoa(binary);
}
function buildCsp(nonce: string, isDev: boolean) {
const plausibleHost = (
process.env.NEXT_PUBLIC_PLAUSIBLE_HOST ?? 'https://plausible.io'
).replace(/\/$/, '');
const plausibleEnabled = Boolean(process.env.NEXT_PUBLIC_PLAUSIBLE_DOMAIN);
const scriptSrc = [
`'self'`,
`'nonce-${nonce}'`,
`'strict-dynamic'`,
isDev ? `'unsafe-eval'` : null,
]
.filter(Boolean)
.join(' ');
const connectSrc = [`'self'`, plausibleEnabled ? plausibleHost : null]
.filter(Boolean)
.join(' ');
const directives = [
`default-src 'self'`,
`script-src ${scriptSrc}`,
`style-src 'self' 'unsafe-inline'`,
`img-src 'self' data: blob:`,
`font-src 'self' data:`,
`connect-src ${connectSrc}`,
`media-src 'self'`,
`frame-ancestors 'none'`,
`form-action 'self'`,
`base-uri 'self'`,
`object-src 'none'`,
`manifest-src 'self'`,
`worker-src 'self' blob:`,
`report-uri /api/csp-report`,
];
if (!isDev) {
directives.push('upgrade-insecure-requests');
}
return directives.join('; ');
}
export function middleware(request: NextRequest) {
const nonce = generateNonce();
const isDev = process.env.NODE_ENV !== 'production';
const csp = buildCsp(nonce, isDev);
const requestHeaders = new Headers(request.headers);
requestHeaders.set('x-nonce', nonce);
requestHeaders.set('content-security-policy', csp);
const response = NextResponse.next({
request: { headers: requestHeaders },
});
response.headers.set('content-security-policy', csp);
return response;
}
export const config = {
matcher: [
// Skip static assets and image optimisation. The static security headers
// from next.config.ts still cover them; CSP only matters on documents.
{
source:
'/((?!api/csp-report|_next/static|_next/image|favicon.ico|robots.txt|sitemap.xml|manifest.webmanifest|opengraph-image|twitter-image|icon|apple-icon|me\\.webp|cv\\.pdf).*)',
missing: [
{ type: 'header', key: 'next-router-prefetch' },
{ type: 'header', key: 'purpose', value: 'prefetch' },
],
},
],
};