in src/app/tmp.middleware.ts [9:53]
export function middleware(request: NextRequest) {
// 1. Create a unique, Base64‑encoded value for this request
const nonce = btoa(crypto.randomUUID());
// 2. Build a strict Content Security Policy (CSP) using that nonce
const cspHeader = `
default-src 'self';
script-src 'self' 'nonce-${nonce}' 'strict-dynamic';
style-src 'self' 'nonce-${nonce}';
img-src 'self' blob: data:;
font-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'none';
upgrade-insecure-requests;
`;
// 3. Replace newline characters and spaces so it can be used in the header
const contentSecurityPolicyHeaderValue = cspHeader
.replace(/\s{2,}/g, " ")
.trim();
// 4. Attach the nonce and CSP to the incoming request
const requestHeaders = new Headers(request.headers);
requestHeaders.set("x-nonce", nonce);
requestHeaders.set(
"Content-Security-Policy",
contentSecurityPolicyHeaderValue
);
// 5. Create a new response object with the updated headers
const response = NextResponse.next({
request: {
headers: requestHeaders,
},
});
// 6. Attach the CSP to the outgoing response
response.headers.set(
"Content-Security-Policy",
contentSecurityPolicyHeaderValue
);
return response;
}