guydumais / next-strict-csp Goto Github PK
View Code? Open in Web Editor NEWHash-based Strict Content Security Policy generator for Next.js
Hash-based Strict Content Security Policy generator for Next.js
Hey, first of all thanks for the package! I am new to CSP, so this is helping me a lot.
But after including the meta-tag in my head, I still get high severity warnings in Google Lighthouse for not having it set up correctly...
Missing object-src allows the injection of plugins that execute unsafe scripts. Consider setting object-src to 'none' if you can.
Directive: object-src
Severity: High
Missing base-uri allows injected tags to set the base URL for all relative URLs (e.g. scripts) to an attacker controlled domain. Consider setting base-uri to 'none' or 'self'.
Directive: base-uri
Severity: High
Am I supposed to add them manually? Or is this behaviour intended?
Thanks in advance!
Hi! Can i use your package with Next.js appDir?
next-strict-csp/dist/cjs/index.js
Line 58 in 97f3b46
Hello this line with coalescent operator might prevent building project, could we make it more backward compatible by removing it?
Hi @guydumais
I read your blog post about strict CSP with Next, got curious, and tried it out on my latest project with Next.js 12
Unfortunately, your package didn't work. I was not able to import it from NPM, which gave an error, but I am using yarn berry with zero installs, so I think that's due to that. (for this to work you had to import { Head } from 'next/document'
and set next up as a peer dep)
Edit: In the meantime, I released a package @next-safe/middleware (Repo: https://github.com/nibtime/next-safe-middleware) that offers strict CSP support for Next 12 hybrid apps (getStaticProps - Hash-based, getServerSideProps - Nonce-based) via middleware, all by HTTP response header. That is a little bit safer, but most importantly enables reporting, for which the package also provides a convenient setup mechanism. It also works with next/script
and hashes/nonces everything behind the scenes and adds stuff to the CSP.
Furthermore, it provides middleware to configure a custom CSP (apart from script-src
) on top and to use inline styles without unsafe-inline
.
Should anybody have problems with this package or have any of the above requirements, I recommend checking it out (of course I'd say that, I made the package ๐, but I also think it genuinely solves some common CSP issues very well at this point)
Hi, thank you so much for the useful package.
I have a static blog website built using Next.js and Strapi headless CMS.
I recently came to know about the Content Security Policy.
But having really a hard time understanding it thoroughly.
I was reading articles about it online and some of them say that it is not required for a static website.
https://csp.withgoogle.com/docs/why-csp.html
https://reesmorris.co.uk/blog/implementing-proper-csp-nextjs-styled-components
My website is an SSG (automatically generated static HTML +JSON).
The only place where the server is involved is the sitemap.xml file which is handled by (pages/api/sitemap.js). I can't generate it statically because of dynamic URLs coming from Strapi.
I have a cookie consent banner on the website and that is the only cookie I think besides Google Analytics & TruConversion Heatmap cookies. (If this is relevant)
I am planning to have a "contact" page on my website in the future and it will contain the contact form. Probably, the only place where users may input data.
I'll be very thankful to you if you suggest to me that whether I actually need a CSP or not.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.