Create _document for Content-Security-Policy and other headers #133
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vingkan
added
app
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NextJS has some struggles related to implementing a Content-Security-Policy.
Long story short, in development NextJS generates and evaluates scripts and styles in an unsafe way. It required some messing around with how our NextJS pages are rendered to add a more secure Content-Security-Policy and keep the current functionality.
For more background, check out these links:
The advanced feature in the NextJS documentation did not work. But I was able to use the
_document.jspage and most of Rees Morris' solution to add the headers. The main change I made, so that the headers would work on our static site in production, was to manually set a meta tag in the Head tag with the header.Since our site is statically rendered, the nonce will be the same value for each build and available in the source code. I worry that this means attackers can retrieve the nonce and use it to inject a script past the policy. However, I tried to inject a script from a different origin with the same nonce, and it was still rejected by the policy.
I will work with @Jmacias2019 to implement our Content-Security-Policy. Hopefully we can use this approach for the other headers as well.
CC: @olakukielko