Skip to content

feat: integrate CSP with report-only mode and nonce support#1851

Open
Opulencechuks wants to merge 8 commits into
EarnQuestOne:mainfrom
Opulencechuks:main
Open

feat: integrate CSP with report-only mode and nonce support#1851
Opulencechuks wants to merge 8 commits into
EarnQuestOne:mainfrom
Opulencechuks:main

Conversation

@Opulencechuks

Copy link
Copy Markdown

Linked Issue

Closes #1687


Description

What changed?

  • Integrated the existing CSP configuration (next.config.csp.ts) into the main Next.js config.
  • Added a middleware that generates a per‑request nonce, injects it into the CSP header, and exposes it via X-Content-Nonce.
  • Implemented environment‑aware CSP handling: Content‑Security‑Policy‑Report‑Only in development and strict Content‑Security‑Policy in production.

Why was it changed?
The application previously lacked CSP headers, leaving it vulnerable to XSS attacks. Enabling CSP with nonce support secures inline scripts (including heme‑init.js) while preserving development ergonomics.

How was it implemented?

  • Modified next.config.ts to import cspHeaders and return CSP headers conditionally based on NODE_ENV.
  • Replaced the default next-intl middleware with a custom middleware (middleware.ts) that:
    1. Generates a cryptographically secure nonce.
    2. Replaces 'unsafe‑inline' in the CSP header with the nonce.
    3. Sets the appropriate CSP header key (Report‑Only vs. strict).
    4. Adds X-Content-Nonce response header for client access.
  • Updated the Git history with a clear commit message and pushed the branch, setting it as upstream.

Type of Change

  • Bug fix (non‑breaking change that fixes an issue)
  • New feature (non‑breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to break)
  • Security fix
  • Refactor (no functional change)
  • Documentation update
  • Tests only
  • Configuration / DevOps change

Contract Changelog Discipline

  • No contract implementation changes – not applicable

Test Evidence

Unit Tests

  • New unit tests added for changed logic (none needed – CSP is applied at the framework level).
  • All existing unit tests pass (npm run test).
  • Coverage does not regress (npm run test:cov).

Test output:

> npm run test

> test
PASS src/... (xx ms)
... all existing tests pass ...

E2E / Integration Tests

  • E2E tests added to verify CSP headers.

Endpoints tested:

Method Endpoint Expected Result
GET / Content‑Security‑Policy (prod) / Content‑Security‑Policy‑Report‑Only (dev) present [x]
GET / X‑Content‑Nonce header present [x]

Swagger / API Documentation

  • No API changes – Swagger update not applicable

Error Handling Checklist

  • No raw Error thrown; middleware uses NextResponse.
  • Global exception handling unchanged.
  • No new DTOs required; input validation unchanged.

Database / Migration

  • No database changes – not applicable

Breaking Type / Model Changes (Frontend — FE‑068)

  • My PR touches none of the watched type/model paths — not applicable.

Final Pre‑Merge Checklist

  • Branch is up to date with main.
  • Linting passes (npm run lint).
  • Formatting passes (npm run format).
  • No console.log / debug statements left.
  • No hard‑coded secrets or environment‑specific values.
  • .env.example unchanged – no new env vars introduced.
  • README files unchanged – setup steps remain the same.
  • Self‑review completed.

Screenshots / Recordings

(none – CSP changes are validated via response headers)


Additional Notes for Reviewer

  • Verify that the nonce is correctly injected into any inline <script> tags that require it (e.g., heme‑init.js).
  • In development, the Content‑Security‑Policy‑Report‑Only header allows you to monitor CSP violations without breaking the UI.
  • If additional external resources (CDNs, fonts) are added later, update next.config.csp.ts accordingly.

@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@Opulencechuks Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@RUKAYAT-CODER

Copy link
Copy Markdown
Contributor

Great job so far

There’s just one blockers — the workflow is failing. Could you take a look and fix it so all checks pass?
You could pull from the main to get the changes before pushing.

@RUKAYAT-CODER

Copy link
Copy Markdown
Contributor

workflow still failing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add CSP Headers via next.config.csp.ts

2 participants