how to add content-security-policy | Next.js | Page 1

solid pythonBOT Aug 28, 2023, 10:01 AM

Hi @vital prawn. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

Sure, I can help you with that.

In Next.js, you can add Content Security Policy (CSP) in the next.config.js file. CSP helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. It can specify allowed origins for content including scripts, stylesheets, images, fonts, objects, media (audio, video), iframes, and more.

Here is an example of how you can add Content Security Policy directives using a template string:

// Before defining your Security Headers
// add Content Security Policy directives using a template string.
 
const ContentSecurityPolicy = `
 default-src 'self';
 script-src 'self';
 child-src example.com;
 style-src 'self' example.com;
 font-src 'self';
`

When a directive uses a keyword such as self, wrap it in single quotes ''.

In the header's value, replace the new line with a space.

{
 key: 'Content-Security-Policy',
 value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim()
}

If you want to load scripts, images etc. from other domains, you need to adapt the Content Security Policy accordingly.

If you are serving SVG images with the default Image Optimization API, you can set dangerouslyAllowSVG inside your next.config.js and it is strongly recommended to also set contentDispositionType to force the browser to download the image, as well as contentSecurityPolicy to prevent scripts embedded in the image from executing.

module.exports = {
 images: {
 dangerouslyAllowSVG: true,
 contentDispositionType: 'attachment',
 contentSecurityPolicy: "default-src 'self'; script-src 'none'; sandbox;",
 },
}

Please note that the CSP needs to be correctly configured to avoid errors. If you are seeing an error in the Chrome console, it might be due to a misconfiguration in your CSP. Make sure that all the resources you are loading are allowed in your CSP.

For more information, you can refer to the Next.js documentation (https://nextjs.org/docs/app/api-reference/next-config-js/headers) and Vercel templates (https://vercel.com/templates/next.js/tailwind-css-starter-blog).

I hope this helps! Let me know if you have any other questions.

`Note: you can ask me a follow up question by @ mentioning me again` :speech_balloon:

@vital prawn kapa.ai is still learning and improving, please let us know how it did by reacting below

vital prawn Aug 28, 2023, 10:05 AM

I found following code in starter blog template

const ContentSecurityPolicy = default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' giscus.app analytics.umami.is; style-src 'self' 'unsafe-inline'; img-src * blob: data:; media-src *.s3.amazonaws.com; connect-src *; font-src 'self'; frame-src giscus.app

#how to add content-security-policy

I hope this helps! Let me know if you have any other questions.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

`Note: you can ask me a follow up question by @ mentioning me again` :speech_balloon: