The main problem regarding maintainability is that it is the single package that depends on latest Next as a whole.
to support more setups/versions of Next
to support next export,
decoupling from Vercel for more hosting providers.
to put out major releases gradually for the stuff that works and is tested and keep the more experimental packages in the minors.
@strict-csp/builder
basic utilities with typing/IntelliSense for dealing with CSPs, parse/stringify, merge, etc. with fluent builder interface
with stackable directive presets (#43) for services (GitHub, Vercel, Netlify, headless CMS, Google Fonts ....)
with separate crypto bundles for node and V8 runtime (@strict-csp/builder/dist/node, @strict-csp/builder/dist/v8) that include algorithms for hashing and nonce generation
Dependencies
none
@strict-csp/next-ssr
injects hashes into scripts with src during prerender or loads them by hashed trusted inline proxy
processes Head and initialProps.html for sources
writes out static CSP manifest to _next/~csp/csp-manifest.json (#40) for post-build-processing
additional processing of sources on top of scripts and inline styles can be implemented
augment CSP with nonce for dynamic pages
Dependencies
@strict-csp/builder
next >= 11 (peer) - the lowest version that supports next/script)
build-time post-processing of _next/~csp/csp-manifest.json
can write out / extend headers with CSP configuration + data from CSP manifest for several hosting providers (vercel.json, firebase.json, Netlify _headers, ...)
enables hash-based strict CSP by Response header with reporting for static sites with next export
Motivation
The main problem regarding maintainability is that it is the single package that depends on latest Next as a whole.
next export
,@strict-csp/builder
Dependencies
none
@strict-csp/next-ssr
src
during prerender or loads them by hashed trusted inline proxyinitialProps.html
for sources_next/~csp/csp-manifest.json
(#40) for post-build-processingDependencies
next/script
)References
https://github.com/vercel/next.js/issues/23993#issuecomment-818626449. This is a good reference for HTML processing for CSP with cheerio
@strict-csp/next-headers
_next/~csp/csp-manifest.json
next export
Dependencies
Resources
@next-middleware/chainable
Dependencies
@strict-csp/next-middleware
Dependencies
Originally posted by @nibtime in https://github.com/nibtime/next-safe-middleware/discussions/60#discussioncomment-3259782