Split up the lib into multiple packages - Githubissues

nibtime / next-safe-middleware

Strict CSP (Content-Security-Policy) for Next.js hybrid apps https://web.dev/strict-csp/

https://next-safe-middleware.vercel.app

MIT License

78 stars 20 forks source link

Split up the lib into multiple packages #66

Open nibtime opened 2 years ago

nibtime commented 2 years ago

Motivation

The main problem regarding maintainability is that it is the single package that depends on latest Next as a whole.

to support more setups/versions of Next
to support next export,
decoupling from Vercel for more hosting providers.
to put out major releases gradually for the stuff that works and is tested and keep the more experimental packages in the minors.

@strict-csp/builder

basic utilities with typing/IntelliSense for dealing with CSPs, parse/stringify, merge, etc. with fluent builder interface
with stackable directive presets (#43) for services (GitHub, Vercel, Netlify, headless CMS, Google Fonts ....)
with separate crypto bundles for node and V8 runtime (@strict-csp/builder/dist/node, @strict-csp/builder/dist/v8) that include algorithms for hashing and nonce generation

Dependencies

none

@strict-csp/next-ssr

injects hashes into scripts with src during prerender or loads them by hashed trusted inline proxy
processes Head and initialProps.html for sources
writes out static CSP manifest to _next/~csp/csp-manifest.json (#40) for post-build-processing
additional processing of sources on top of scripts and inline styles can be implemented
augment CSP with nonce for dynamic pages

Dependencies

@strict-csp/builder
next >= 11 (peer) - the lowest version that supports next/script)

References

https://github.com/vercel/next.js/issues/23993#issuecomment-818626449. This is a good reference for HTML processing for CSP with cheerio

@strict-csp/next-headers

build-time post-processing of _next/~csp/csp-manifest.json
can write out / extend headers with CSP configuration + data from CSP manifest for several hosting providers (vercel.json, firebase.json, Netlify _headers, ...)
enables hash-based strict CSP by Response header with reporting for static sites with next export

Dependencies

@strict-csp/builder
@strict-csp/next-ssr (peer)

Resources

blueprint of a package with post-build processing and good DX: https://github.com/iamvishnusankar/next-sitemap#readme

@next-middleware/chainable

utilities to compose/chain middleware, required to ship reusable middleware with a package

Dependencies

next >= 12.2.4 (peer) - with stable root-level middleware and routing bugs fixed

@strict-csp/next-middleware

will have the best DX and versatility, with composable/chainable configuration
can factor in dynamic request data (Browser + Version) for CSP configuration

Dependencies

@strict-csp/builder
@strict-csp/next-ssr (peer)
@next-middleware/chainable

Originally posted by @nibtime in https://github.com/nibtime/next-safe-middleware/discussions/60#discussioncomment-3259782