1
0
Fork 0
mirror of https://github.com/terribleplan/next.js.git synced 2024-01-19 02:48:18 +00:00
next.js/examples/with-strict-csp/csp.js
2018-08-06 20:19:16 -07:00

32 lines
784 B
JavaScript

const helmet = require('helmet')
const uuidv4 = require('uuid/v4')
module.exports = function csp (app) {
// Create a nonce on every request and make it available to other middleware
app.use((req, res, next) => {
res.locals.nonce = Buffer.from(uuidv4()).toString('base64')
next()
})
const nonce = (req, res) => `'nonce-${res.locals.nonce}'`
const scriptSrc = [nonce, "'strict-dynamic'", "'unsafe-inline'", 'https:']
// In dev we allow 'unsafe-eval', so HMR doesn't trigger the CSP
if (process.env.NODE_ENV !== 'production') {
scriptSrc.push("'unsafe-eval'")
}
app.use(
helmet({
contentSecurityPolicy: {
directives: {
baseUri: ["'none'"],
objectSrc: ["'none'"],
scriptSrc
}
}
})
)
}