From af2c3f71bf6d736000f04188cd3223846c5caae6 Mon Sep 17 00:00:00 2001
From: Tim Neutkens <tim@timneutkens.nl>
Date: Fri, 10 Nov 2023 14:28:43 +0100
Subject: [PATCH] Update 15-content-security-policy.mdx

Ensures the CSP header is still set on the response.
---
 .../15-content-security-policy.mdx            | 32 +++++++++++++++----
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/docs/02-app/01-building-your-application/07-configuring/15-content-security-policy.mdx b/docs/02-app/01-building-your-application/07-configuring/15-content-security-policy.mdx
index ff0338a773..f9ed6991e5 100644
--- a/docs/02-app/01-building-your-application/07-configuring/15-content-security-policy.mdx
+++ b/docs/02-app/01-building-your-application/07-configuring/15-content-security-policy.mdx
@@ -54,20 +54,31 @@ export function middleware(request: NextRequest) {
     block-all-mixed-content;
     upgrade-insecure-requests;
 `
+  // Replace newline characters and spaces
+  const contentSecurityPolicyHeaderValue = cspHeader
+    .replace(/\s{2,}/g, ' ')
+    .trim()
 
   const requestHeaders = new Headers(request.headers)
   requestHeaders.set('x-nonce', nonce)
+
   requestHeaders.set(
     'Content-Security-Policy',
-    // Replace newline characters and spaces
-    cspHeader.replace(/\s{2,}/g, ' ').trim()
+    contentSecurityPolicyHeaderValue
   )
 
-  return NextResponse.next({
+  const response = NextResponse.next({
+    headers: requestHeaders,
     request: {
       headers: requestHeaders,
     },
   })
+  response.headers.set(
+    'Content-Security-Policy',
+    contentSecurityPolicyHeaderValue
+  )
+
+  return response
 }
 ```
 
@@ -89,21 +100,30 @@ export function middleware(request) {
     block-all-mixed-content;
     upgrade-insecure-requests;
 `
+  // Replace newline characters and spaces
+  const contentSecurityPolicyHeaderValue = cspHeader
+    .replace(/\s{2,}/g, ' ')
+    .trim()
 
   const requestHeaders = new Headers(request.headers)
   requestHeaders.set('x-nonce', nonce)
   requestHeaders.set(
     'Content-Security-Policy',
-    // Replace newline characters and spaces
-    cspHeader.replace(/\s{2,}/g, ' ').trim()
+    contentSecurityPolicyHeaderValue
   )
 
-  return NextResponse.next({
+  const response = NextResponse.next({
     headers: requestHeaders,
     request: {
       headers: requestHeaders,
     },
   })
+  response.headers.set(
+    'Content-Security-Policy',
+    contentSecurityPolicyHeaderValue
+  )
+
+  return response
 }
 ```