Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace next-secure-headers with Nosecone for security headers #343

Merged
merged 8 commits into from
Dec 11, 2024

Conversation

davidmytton
Copy link
Contributor

@davidmytton davidmytton commented Dec 10, 2024

Description

next-secure-headers hasn't been updated for 3 years and is setting obsolete security headers. We just released Nosecone which is an open source library for configuring security headers like CSP and HSTS on Next.js and other frameworks.

As discussed in the PR, CSP is not set by default. We can revisit when #332 is done. There is a working example config in the docs.

next-secure-headers vs Nosecone

Loading http://localhost:3000/sign-in sets the following headers:

Cache-Control: no-store, must-revalidate
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Tue, 10 Dec 2024 18:48:01 GMT
Keep-Alive: timeout=5
Link: </_next/static/media/GeistMono_Variable.p.0ce97b8a.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/Geist_Variable-s.p.781b491f.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2"
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Transfer-Encoding: chunked
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
x-clerk-auth-reason: session-token-and-uat-missing
x-clerk-auth-status: signed-out
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: deny
x-middleware-rewrite: /sign-in?redirect_url=http%3A%2F%2Flocalhost%3A3000%2F
X-Powered-By: Next.js
X-XSS-Protection: 1

With Nosecone, the same page sets the following:

Cache-Control: no-store, must-revalidate
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Date: Tue, 10 Dec 2024 18:49:46 GMT
Keep-Alive: timeout=5
Link: </_next/static/media/GeistMono_Variable.p.0ce97b8a.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/Geist_Variable-s.p.781b491f.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2"
origin-agent-cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
x-clerk-auth-reason: session-token-and-uat-missing
x-clerk-auth-status: signed-out
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
x-download-options: noopen
X-Frame-Options: SAMEORIGIN
x-middleware-rewrite: /sign-in?redirect_url=http%3A%2F%2Flocalhost%3A3000%2F
x-permitted-cross-domain-policies: none
X-Powered-By: Next.js
X-XSS-Protection: 0

The headers removed are:

Checklist

  • My code follows the code style of this project.
  • I have performed a self-review of my code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have updated the documentation, if necessary.

Sorry, something went wrong.

Copy link

vercel bot commented Dec 10, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
next-forge ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 11, 2024 4:32pm
next-forge-app ❌ Failed (Inspect) Dec 11, 2024 4:32pm

Copy link

vercel bot commented Dec 10, 2024

@davidmytton is attempting to deploy a commit to the Hayden Bleasel Team on Vercel.

A member of the Team first needs to authorize it.

apps/app/middleware.ts Outdated Show resolved Hide resolved

Verified

This commit was signed with the committer’s verified signature.
haydenbleasel Hayden Bleasel

Verified

This commit was signed with the committer’s verified signature.
haydenbleasel Hayden Bleasel

Verified

This commit was signed with the committer’s verified signature.
haydenbleasel Hayden Bleasel

Verified

This commit was signed with the committer’s verified signature.
haydenbleasel Hayden Bleasel

Verified

This commit was signed with the committer’s verified signature.
haydenbleasel Hayden Bleasel

Verified

This commit was signed with the committer’s verified signature.
haydenbleasel Hayden Bleasel

Verified

This commit was signed with the committer’s verified signature.
haydenbleasel Hayden Bleasel

Verified

This commit was signed with the committer’s verified signature.
haydenbleasel Hayden Bleasel
@haydenbleasel haydenbleasel added the documentation Changes only affect the documentation label Dec 11, 2024
@haydenbleasel haydenbleasel self-assigned this Dec 11, 2024
@haydenbleasel
Copy link
Owner

Great work as usual @davidmytton, thanks!

Copy link

🚀 PR was released in v2.20.28 🚀

@github-actions github-actions bot added the released This issue/pull request has been released. label Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Changes only affect the documentation released This issue/pull request has been released.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants