2023-09-02 00:13:49 +02:00
|
|
|
import { NextResponse } from 'next/server'
|
|
|
|
|
|
|
|
|
|
export function middleware(request) {
|
2023-09-08 07:12:22 +02:00
|
|
|
const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
|
2023-09-02 00:13:49 +02:00
|
|
|
const cspHeader = `
|
|
|
|
|
default-src 'self';
|
|
|
|
|
script-src 'self' 'nonce-${nonce}' 'strict-dynamic';
|
|
|
|
|
style-src 'self' 'nonce-${nonce}';
|
|
|
|
|
img-src 'self' blob: data:;
|
|
|
|
|
font-src 'self';
|
|
|
|
|
object-src 'none';
|
|
|
|
|
base-uri 'self';
|
|
|
|
|
form-action 'self';
|
|
|
|
|
frame-ancestors 'none';
|
|
|
|
|
block-all-mixed-content;
|
|
|
|
|
upgrade-insecure-requests;
|
|
|
|
|
`
|
|
|
|
|
|
2023-09-26 17:12:13 +02:00
|
|
|
const requestHeaders = new Headers(request.headers)
|
2023-09-02 00:13:49 +02:00
|
|
|
|
|
|
|
|
// Setting request headers
|
|
|
|
|
requestHeaders.set('x-nonce', nonce)
|
|
|
|
|
requestHeaders.set(
|
|
|
|
|
'Content-Security-Policy',
|
|
|
|
|
// Replace newline characters and spaces
|
|
|
|
|
cspHeader.replace(/\s{2,}/g, ' ').trim()
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
return NextResponse.next({
|
|
|
|
|
headers: requestHeaders,
|
|
|
|
|
request: {
|
|
|
|
|
headers: requestHeaders,
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export const config = {
|
|
|
|
|
matcher: [
|
|
|
|
|
/*
|
|
|
|
|
* Match all request paths except for the ones starting with:
|
|
|
|
|
* - api (API routes)
|
|
|
|
|
* - _next/static (static files)
|
|
|
|
|
* - _next/image (image optimization files)
|
|
|
|
|
* - favicon.ico (favicon file)
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
source: '/((?!api|_next/static|_next/image|favicon.ico).*)',
|
|
|
|
|
missing: [
|
|
|
|
|
{ type: 'header', key: 'next-router-prefetch' },
|
|
|
|
|
{ type: 'header', key: 'purpose', value: 'prefetch' },
|
|
|
|
|
],
|
|
|
|
|
},
|
|
|
|
|
],
|
|
|
|
|
}
|
