offgriddev
commented
2 years ago It's important to point out here that there are defaults available on createSecureHeaders() here, but nothing for Content-Security-Policy. While CSP has side-effects due to the restrictions it places on loading resources, the default directives defined in the helmet repository are reasonable as a baseline, so someone coming in wanting to get some basic protections can use the defaults and build on top of them. The default directives in helmet can be found here
🌱 Feature Request
Is your feature request related to a problem? Please describe.
As a solution similar to
helmet, it would be beneficial for consumers to have similar defaults, so as to align with other packages features. This would provide consumers with a simple interface to match other packages leveraging helmet defaults. Otherwise, consumers need to specify these in their repositories.You can find the defaults in helmet here
Describe the solution you'd like
Somewhere in the CSP rule, you could allow users to specify they want a set of default directives here: https://github.com/jagaapple/next-secure-headers/blob/master/src/rules/content-security-policy.ts#L226-L238
The behavior of the helmet repository is that if you tell it to include CSP without specifying any directives, it will default to the set defined in the module here
next-secure-headerscan implement something similar by here: https://github.com/jagaapple/next-secure-headers/blob/master/src/rules/content-security-policy.ts#L213-L223When no directives are passed through, it can default to the same set of directives.
Describe alternatives you've considered
Consumers need to maintain a basic set of default directives for helmet independently when this should rest with the package.
Documentation, Adoption, Migration Strategy
If you can, explain how users will be able to use this and how it might be documented. Maybe a mock-up?
Additional context
Add any other context or screenshots about the feature request here.