guydumais / next-strict-csp Goto Github PK

Hey, first of all thanks for the package! I am new to CSP, so this is helping me a lot.
But after including the meta-tag in my head, I still get high severity warnings in Google Lighthouse for not having it set up correctly...

Missing object-src allows the injection of plugins that execute unsafe scripts. Consider setting object-src to 'none' if you can.
Directive: object-src
Severity: High

Missing base-uri allows injected tags to set the base URL for all relative URLs (e.g. scripts) to an attacker controlled domain. Consider setting base-uri to 'none' or 'self'.
Directive: base-uri
Severity: High

Am I supposed to add them manually? Or is this behaviour intended?

Thanks in advance!

Hi! Can i use your package with Next.js appDir?

Hello this line with coalescent operator might prevent building project, could we make it more backward compatible by removing it?

next js version: 11
react version: 18.1

Hi @guydumais

I read your blog post about strict CSP with Next, got curious, and tried it out on my latest project with Next.js 12

Unfortunately, your package didn't work. I was not able to import it from NPM, which gave an error, but I am using yarn berry with zero installs, so I think that's due to that. (for this to work you had to import { Head } from 'next/document' and set next up as a peer dep)

Edit: In the meantime, I released a package @next-safe/middleware (Repo: https://github.com/nibtime/next-safe-middleware) that offers strict CSP support for Next 12 hybrid apps (getStaticProps - Hash-based, getServerSideProps - Nonce-based) via middleware, all by HTTP response header. That is a little bit safer, but most importantly enables reporting, for which the package also provides a convenient setup mechanism. It also works with next/script and hashes/nonces everything behind the scenes and adds stuff to the CSP.

Furthermore, it provides middleware to configure a custom CSP (apart from script-src) on top and to use inline styles without unsafe-inline.

Should anybody have problems with this package or have any of the above requirements, I recommend checking it out (of course I'd say that, I made the package 😁, but I also think it genuinely solves some common CSP issues very well at this point)

Hi, thank you so much for the useful package.

I have a static blog website built using Next.js and Strapi headless CMS.

I recently came to know about the Content Security Policy.

But having really a hard time understanding it thoroughly.

I was reading articles about it online and some of them say that it is not required for a static website.

https://csp.withgoogle.com/docs/why-csp.html

https://reesmorris.co.uk/blog/implementing-proper-csp-nextjs-styled-components

My website is an SSG (automatically generated static HTML +JSON).

The only place where the server is involved is the sitemap.xml file which is handled by (pages/api/sitemap.js). I can't generate it statically because of dynamic URLs coming from Strapi.

I have a cookie consent banner on the website and that is the only cookie I think besides Google Analytics & TruConversion Heatmap cookies. (If this is relevant)

I am planning to have a "contact" page on my website in the future and it will contain the contact form. Probably, the only place where users may input data.

I'll be very thankful to you if you suggest to me that whether I actually need a CSP or not.