search

nibtime / next-safe-middleware

Strict CSP (Content-Security-Policy) for Next.js hybrid apps https://web.dev/strict-csp/
https://next-safe-middleware.vercel.app
MIT License
78 stars 20 forks source link

Empty CSP HTTP Header #90

Closed danfsd closed 11 months ago

danfsd commented 1 year ago

This is the first time I'm trying to use this library and I'm finding it difficult to see the CSP directives that I've configured on the middleware to show on the CSP HTTP header.

These are the directives defined on cspMiddleware.js:

import {chainMatch, isPageRequest, csp, strictDynamic} from '@next-safe/middleware';

const securityMiddleware = [
  csp({
    // your CSP base configuration with IntelliSense
    // single quotes for values like 'self' are automatic
    directives: {
      'child-src': ['none'],
      'default-src': ['self'],
      'font-src': ['self', 'data:', 'https://fonts.gstatic.com'],
      'frame-ancestors': ['none'],
      'manifest-src': ['self'],
      'report-to': ['default'],
      'report-uri': ['https://xxxxxx.report-uri.com/r/d/csp/enforce'],
      'upgrade-insecure-requests': true,
      'worker-src': ['self']
    }
  }),
  strictDynamic()
];

export default chainMatch(isPageRequest)(...securityMiddleware);

When running on production, the content-security-policy header remains empty:

image

All the other files have been setup following the Getting Started part of the docs.

Any ideas?

danfsd commented 1 year ago

Hmm, I've renamed the cspMiddleware.ts to middleware.ts and placed it on the root of the application and it worked.

Does the naming/location of the middleware file interferes with the functioning of the library?

dannyrb commented 1 year ago

@danfsd, this is a next.js convention. The file has to be named middleware.ts

danfsd commented 11 months ago

Thanks @dannyrb, I wasn't aware of that!