Skip to content

Enalmada/next-secure

Repository files navigation

helper for generating headers with next-safe

Why

  • group csp rules into object with description field as a means of documenting what needs specific rules
  • abstract out some security best practices that can be shared with multiple projects

Getting Started

Read the documentation

TODO

[ ] review with-csp and use in middleware vs next.config.mjs

Alternatives

next-safe

  • only supported raw list of CSP whitelist but I wanted tracking per 3rd party
    • to only add CSP on routes that needed it
    • to know why things were being added and minimize risk of orphaning

next-safe-middleware

with-csp next.js has had work in 13.5 to improve dynamic csp

  • unclear how static pages should be protected

Build Notes

Contribute

Using changesets so please remember to run "changeset" with any PR.
Give consideration for the summary as it is what will show up in the changelog.