-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
53 lines (45 loc) · 1.63 KB
/
middleware.ts
File metadata and controls
53 lines (45 loc) · 1.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import { NextRequest, NextResponse } from "next/server";
function generateNonce(): string {
const bytes = new Uint8Array(16);
crypto.getRandomValues(bytes);
return btoa(String.fromCharCode(...bytes));
}
export function middleware(request: NextRequest) {
const isDevelopment = process.env.NODE_ENV !== "production";
const nonce = generateNonce();
const requestHeaders = new Headers(request.headers);
requestHeaders.set("x-nonce", nonce);
const csp = [
"default-src 'self'",
isDevelopment
? `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval'`
: `script-src 'nonce-${nonce}' 'strict-dynamic'`,
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data:",
"font-src 'self'",
isDevelopment ? "connect-src 'self' ws: wss:" : "connect-src 'self'",
"frame-src 'none'",
"object-src 'none'",
"base-uri 'self'",
"form-action 'self'",
!isDevelopment ? "upgrade-insecure-requests" : "",
]
.filter(Boolean)
.join("; ");
const response = NextResponse.next({
request: {
headers: requestHeaders,
},
});
response.headers.set("Content-Security-Policy", csp);
response.headers.set("X-Frame-Options", "DENY");
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
return response;
}
export const config = {
matcher: [
"/((?!_next/static|_next/image|favicon.ico|robots.txt|sitemap.xml|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js|map|txt|xml|woff|woff2|ttf|otf)$).*)",
],
};