feat: integrate CSP with report-only mode and nonce support#1851
Open
Opulencechuks wants to merge 8 commits into
Open
feat: integrate CSP with report-only mode and nonce support#1851Opulencechuks wants to merge 8 commits into
Opulencechuks wants to merge 8 commits into
Conversation
|
@Opulencechuks Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
Contributor
|
Great job so far There’s just one blockers — the workflow is failing. Could you take a look and fix it so all checks pass? |
Contributor
|
workflow still failing. |
…lations in error boundary files
… Prettier compliance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linked Issue
Closes #1687
Description
What changed?
next.config.csp.ts) into the main Next.js config.X-Content-Nonce.Content‑Security‑Policy‑Report‑Onlyin development and strictContent‑Security‑Policyin production.Why was it changed?
The application previously lacked CSP headers, leaving it vulnerable to XSS attacks. Enabling CSP with nonce support secures inline scripts (including
heme‑init.js) while preserving development ergonomics.How was it implemented?
next.config.tsto importcspHeadersand return CSP headers conditionally based onNODE_ENV.next-intlmiddleware with a custom middleware (middleware.ts) that:'unsafe‑inline'in the CSP header with the nonce.Report‑Onlyvs. strict).X-Content-Nonceresponse header for client access.Type of Change
Contract Changelog Discipline
Test Evidence
Unit Tests
npm run test).npm run test:cov).Test output:
E2E / Integration Tests
Endpoints tested:
/Content‑Security‑Policy(prod) /Content‑Security‑Policy‑Report‑Only(dev) present/X‑Content‑Nonceheader presentSwagger / API Documentation
Error Handling Checklist
Errorthrown; middleware usesNextResponse.Database / Migration
Breaking Type / Model Changes (Frontend — FE‑068)
Final Pre‑Merge Checklist
main.npm run lint).npm run format).console.log/ debug statements left..env.exampleunchanged – no new env vars introduced.Screenshots / Recordings
(none – CSP changes are validated via response headers)
Additional Notes for Reviewer
<script>tags that require it (e.g.,heme‑init.js).Content‑Security‑Policy‑Report‑Onlyheader allows you to monitor CSP violations without breaking the UI.next.config.csp.tsaccordingly.