add client/admin pages, show info and created admin api and server actions
This commit is contained in:
60
lib/CSP.ts
Normal file
60
lib/CSP.ts
Normal file
@@ -0,0 +1,60 @@
|
||||
// @Docs https://content-security-policy.com/
|
||||
|
||||
import { NextRequest, NextResponse } from 'next/server'
|
||||
|
||||
export class CSP {
|
||||
private readonly request: any
|
||||
private readonly on: boolean
|
||||
private readonly request_headers?: Headers
|
||||
private readonly csp_with_nonce?: string
|
||||
private next_response?: NextResponse
|
||||
|
||||
constructor (request: any, on?: boolean) {
|
||||
this.request = request
|
||||
this.on = on ?? true
|
||||
|
||||
if (this.on) {
|
||||
const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
|
||||
this.csp_with_nonce = CSP.contentSecurityPolicyHeaderValue(nonce)
|
||||
this.request_headers = new Headers(this.request.headers)
|
||||
this.request_headers.set('x-nonce', nonce)
|
||||
this.request_headers.set('x-xxx', '123')
|
||||
this.request_headers.set('Content-Security-Policy', this.csp_with_nonce)
|
||||
}
|
||||
}
|
||||
|
||||
private static contentSecurityPolicyHeaderValue (nonce: string): string {
|
||||
//style-src 'self' 'nonce-${nonce}';
|
||||
return `
|
||||
default-src 'self';
|
||||
script-src 'self' 'nonce-${nonce}' 'strict-dynamic';
|
||||
style-src 'self' 'unsafe-inline';
|
||||
img-src 'self' blob: data: avatars.githubusercontent.com *.googleusercontent.com;
|
||||
connect-src 'self';
|
||||
font-src 'self';
|
||||
object-src 'none';
|
||||
base-uri 'self';
|
||||
form-action 'self';
|
||||
frame-ancestors 'none';
|
||||
upgrade-insecure-requests`.replace(/\s{2,}/g, ' ').trim()
|
||||
}
|
||||
|
||||
next (middleware?: (request: NextRequest) => NextResponse<unknown>): NextResponse<unknown> {
|
||||
if (!this.on) {
|
||||
return middleware ? middleware(this.request) : NextResponse.next()
|
||||
}
|
||||
|
||||
if (middleware) {
|
||||
const reqNext = new NextRequest(this.request, { headers: this.request_headers })
|
||||
this.next_response = middleware(reqNext)
|
||||
} else {
|
||||
this.next_response = NextResponse.next({
|
||||
request: { headers: this.request_headers },
|
||||
})
|
||||
}
|
||||
|
||||
this.next_response.headers.set('Content-Security-Policy', this.csp_with_nonce as string)
|
||||
|
||||
return this.next_response
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user