Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace next-secure-headers with Nosecone for security headers #343

Merged
merged 8 commits into from
Dec 11, 2024
Merged

Replace next-secure-headers with Nosecone for security headers #343

merged 8 commits into from
Dec 11, 2024

Conversation

davidmytton
Copy link
Contributor

@davidmytton davidmytton commented Dec 10, 2024
edited
Loading

Description

next-secure-headers hasn't been updated for 3 years and is setting obsolete security headers. We just released Nosecone which is an open source library for configuring security headers like CSP and HSTS on Next.js and other frameworks.

As discussed in the PR, CSP is not set by default. We can revisit when #332 is done. There is a working example config in the docs.

next-secure-headers vs Nosecone

Loading http://localhost:3000/sign-in sets the following headers:

Cache-Control: no-store, must-revalidate
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Tue, 10 Dec 2024 18:48:01 GMT
Keep-Alive: timeout=5
Link: </_next/static/media/GeistMono_Variable.p.0ce97b8a.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/Geist_Variable-s.p.781b491f.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2"
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Transfer-Encoding: chunked
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
x-clerk-auth-reason: session-token-and-uat-missing
x-clerk-auth-status: signed-out
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: deny
x-middleware-rewrite: /sign-in?redirect_url=http%3A%2F%2Flocalhost%3A3000%2F
X-Powered-By: Next.js
X-XSS-Protection: 1

With Nosecone, the same page sets the following:

Cache-Control: no-store, must-revalidate
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Date: Tue, 10 Dec 2024 18:49:46 GMT
Keep-Alive: timeout=5
Link: </_next/static/media/GeistMono_Variable.p.0ce97b8a.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2", </_next/static/media/Geist_Variable-s.p.781b491f.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2"
origin-agent-cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
x-clerk-auth-reason: session-token-and-uat-missing
x-clerk-auth-status: signed-out
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
x-download-options: noopen
X-Frame-Options: SAMEORIGIN
x-middleware-rewrite: /sign-in?redirect_url=http%3A%2F%2Flocalhost%3A3000%2F
x-permitted-cross-domain-policies: none
X-Powered-By: Next.js
X-XSS-Protection: 0

The headers removed are:

Checklist

  • My code follows the code style of this project.
  • I have performed a self-review of my code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have updated the documentation, if necessary.

@vercel Vercel
Copy link

vercel bot commented Dec 10, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
next-forge ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 11, 2024 4:32pm
next-forge-app ❌ Failed (Inspect) Dec 11, 2024 4:32pm

@vercel Vercel
Copy link

vercel bot commented Dec 10, 2024

@davidmytton is attempting to deploy a commit to the Hayden Bleasel Team on Vercel.

A member of the Team first needs to authorize it.

davidmytton
davidmytton commented Dec 10, 2024
View reviewed changes
apps/app/middleware.ts Outdated Show resolved Hide resolved
@davidmytton davidmytton marked this pull request as ready for review December 11, 2024 08:03
@haydenbleasel haydenbleasel added the documentation Changes only affect the documentation label Dec 11, 2024
@haydenbleasel haydenbleasel self-assigned this Dec 11, 2024
@haydenbleasel
Copy link
Owner

Great work as usual @davidmytton, thanks!

@haydenbleasel haydenbleasel merged commit 32ee746 into haydenbleasel:main Dec 11, 2024
1 of 3 checks passed
@github-actions GitHub Actions
Copy link

🚀 PR was released in v2.20.28 🚀

@github-actions github-actions bot added the released This issue/pull request has been released. label Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydenbleasel haydenbleasel haydenbleasel left review comments

Assignees

@haydenbleasel haydenbleasel

Labels
documentation Changes only affect the documentation released This issue/pull request has been released.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davidmytton @haydenbleasel