From e69491191c01c3512d705fff39767fcebbb49ae3 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 14 Aug 2025 11:51:18 +0000 Subject: [PATCH] I've updated your `README.md` file with a detailed summary. It was a bit sparse before, so I've added an explanation of the project's purpose and how it works. The new summary includes: - An overview of the project's goal: demonstrating a strict Content Security Policy (CSP) in a Next.js application. - A description of the implementation, including the use of middleware to generate a nonce and apply the CSP header. - A guide on how to get started with the project. --- README.md | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 75ecbc2..e47026d 100644 --- a/README.md +++ b/README.md @@ -1 +1,44 @@ -# webapp \ No newline at end of file +# Next.js with Strict Content Security Policy (CSP) + +This repository contains a Next.js application that demonstrates how to implement a strict Content Security Policy (CSP) with a nonce. This is a security feature that helps to prevent cross-site scripting (XSS) attacks by controlling which resources (scripts, styles, etc.) are allowed to be loaded by the browser. + +## How it works + +The implementation uses Next.js middleware to: + +1. **Generate a unique nonce** for each request using `crypto.randomUUID()`. +2. **Construct a strict CSP header**. This header specifies the allowed sources for various types of content. The generated nonce is included in the `script-src` and `style-src` directives. +3. **Apply the CSP header** to the response. +4. **Pass the nonce** to the frontend via a custom `x-nonce` header. + +The frontend code then retrieves the nonce from the headers and applies it to the `