CCM-9916: preload in link headers

harrim91 · harrim91 · commit da56f5d0888a · 2025-10-21T16:53:42.000+01:00
diff --git a/frontend/src/__tests__/middleware.test.ts b/frontend/src/__tests__/middleware.test.ts
@@ -17,6 +17,10 @@ function getCsp(response: Response) {
   return csp?.split(';').map((s) => s.trim());
 }
 
+function getLinkHeaders(response: Response) {
+  return response.headers.get('Link')?.split(', ');
+}
+
 const OLD_ENV = { ...process.env };
 afterAll(() => {
   process.env = OLD_ENV;
@@ -36,6 +40,10 @@ describe('middleware function', () => {
     const response = await middleware(request);
 
     expect(response.status).toBe(404);
+    expect(getLinkHeaders(response)).toEqual([
+      '<https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2>; rel=preload; as=font; crossorigin=anonymous',
+      '<https://assets.nhs.uk/fonts/FrutigerLTW01-65Bold.woff2>; rel=preload; as=font; crossorigin=anonymous',
+    ]);
   });
 
   it('if request path is protected, and no access/id token is obtained, redirect to auth page', async () => {
@@ -61,7 +69,7 @@ describe('middleware function', () => {
     expect(response.cookies.get('csrf_token')?.value).toEqual('');
   });
 
-  it('if request path is protected, tokens exist AND token has client-id, respond with CSP', async () => {
+  it('if request path is protected, tokens exist AND token has client-id, respond with CSP and links to preload fonts', async () => {
     getTokenMock.mockResolvedValueOnce({
       accessToken: 'access-token',
       clientId: 'client1',
@@ -92,6 +100,11 @@ describe('middleware function', () => {
       'upgrade-insecure-requests',
       '',
     ]);
+
+    expect(getLinkHeaders(response)).toEqual([
+      '<https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2>; rel=preload; as=font; crossorigin=anonymous',
+      '<https://assets.nhs.uk/fonts/FrutigerLTW01-65Bold.woff2>; rel=preload; as=font; crossorigin=anonymous',
+    ]);
   });
 
   it('if request path is protected, tokens exist BUT token missing client-id, redirect to request-to-be-added page', async () => {
@@ -113,7 +126,7 @@ describe('middleware function', () => {
     );
   });
 
-  it('if request path is not protected, respond with CSP', async () => {
+  it('if request path is not protected, respond with CSP and links to preload fonts', async () => {
     const url = new URL('https://url.com/create-and-submit-templates');
     const request = new NextRequest(url);
     const response = await middleware(request);
@@ -136,6 +149,11 @@ describe('middleware function', () => {
       'upgrade-insecure-requests',
       '',
     ]);
+
+    expect(getLinkHeaders(response)).toEqual([
+      '<https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2>; rel=preload; as=font; crossorigin=anonymous',
+      '<https://assets.nhs.uk/fonts/FrutigerLTW01-65Bold.woff2>; rel=preload; as=font; crossorigin=anonymous',
+    ]);
   });
 
   it('public path (/auth/request-to-be-added-to-a-service) responds with CSP', async () => {
@@ -163,6 +181,11 @@ describe('middleware function', () => {
       'upgrade-insecure-requests',
       '',
     ]);
+
+    expect(getLinkHeaders(response)).toEqual([
+      '<https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2>; rel=preload; as=font; crossorigin=anonymous',
+      '<https://assets.nhs.uk/fonts/FrutigerLTW01-65Bold.woff2>; rel=preload; as=font; crossorigin=anonymous',
+    ]);
   });
 
   it('when running in development mode, CSP script-src allows unsafe-eval and does not upgrade insecure requests', async () => {
diff --git a/frontend/src/app/layout.tsx b/frontend/src/app/layout.tsx
@@ -57,22 +57,6 @@ export default function RootLayout({
   return (
     <html lang='en'>
       <head>
-        <link
-          rel='preload'
-          as='font'
-          href='https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2'
-          type='font/woff2'
-          crossOrigin='anonymous'
-        />
-
-        <link
-          rel='preload'
-          as='font'
-          href='https://assets.nhs.uk/fonts/FrutigerLTW01-65Bold.woff2'
-          type='font/woff2'
-          crossOrigin='anonymous'
-        />
-
         <script
           src={`${getBasePath()}/lib/nhsuk-frontend-10.0.0.min.js`}
           defer
diff --git a/frontend/src/middleware.ts b/frontend/src/middleware.ts
@@ -78,6 +78,17 @@ function getContentSecurityPolicy(nonce: string) {
     .concat(';');
 }
 
+function preloadFonts(res: NextResponse) {
+  res.headers.append(
+    'Link',
+    '<https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2>; rel=preload; as=font; crossorigin=anonymous'
+  );
+  res.headers.append(
+    'Link',
+    '<https://assets.nhs.uk/fonts/FrutigerLTW01-65Bold.woff2>; rel=preload; as=font; crossorigin=anonymous'
+  );
+}
+
 export async function middleware(request: NextRequest) {
   const { pathname } = request.nextUrl;
 
@@ -97,11 +108,17 @@ export async function middleware(request: NextRequest) {
 
     publicPathResponse.headers.set('Content-Security-Policy', csp);
 
+    preloadFonts(publicPathResponse);
+
     return publicPathResponse;
   }
 
   if (!protectedPaths.some((p) => p.test(pathname))) {
-    return new NextResponse('Page not found', { status: 404 });
+    const notFound = new NextResponse('Page not found', { status: 404 });
+
+    preloadFonts(notFound);
+
+    return notFound;
   }
 
   const { accessToken, idToken } = await getSessionServer({
@@ -145,6 +162,8 @@ export async function middleware(request: NextRequest) {
 
   response.headers.set('Content-Security-Policy', csp);
 
+  preloadFonts(response);
+
   return response;
 }
 
