fix: CSP blocks resources on HTTP, conditional upgrade-insecure-requestsHEAD main

author: ertopogo <erwin.t.pombett@gmail.com> 2026-02-19 15:07:10 +0100
committer: ertopogo <erwin.t.pombett@gmail.com> 2026-02-19 15:07:10 +0100
commit: 202f3256fa1bb60a72322ca1c4c3b5e6ffca212a (patch)
tree: a8a6a499e9e09dfba327fd4caacb745824c436bb /src
parent: 2bd68f0cbce62624ec79350835436afcdfad7471 (diff)
1 files changed, 7 insertions, 8 deletions
diff --git a/src/middleware.ts b/src/middleware.ts
index 74f5aed..42fef0f 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -5,11 +5,15 @@ export function middleware(request: NextRequest) {
   const response = NextResponse.next();
   const { pathname } = request.nextUrl;
 
-  const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
+  if (pathname.startsWith("/admin")) {
+    return response;
+  }
+
+  const isHttps = request.nextUrl.protocol === "https:";
 
   const cspDirectives = [
     "default-src 'self'",
-    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
+    `script-src 'self' 'unsafe-inline' 'unsafe-eval'`,
     `style-src 'self' 'unsafe-inline'`,
     "img-src 'self' data: blob:",
     "font-src 'self'",
@@ -17,18 +21,13 @@ export function middleware(request: NextRequest) {
     "frame-ancestors 'none'",
     "base-uri 'self'",
     "form-action 'self'",
-    "upgrade-insecure-requests",
+    ...(isHttps ? ["upgrade-insecure-requests"] : []),
   ];
 
-  if (pathname.startsWith("/admin")) {
-    return response;
-  }
-
   response.headers.set(
     "Content-Security-Policy",
     cspDirectives.join("; ")
   );
-  response.headers.set("X-Nonce", nonce);
 
   return response;
 }
author	ertopogo <erwin.t.pombett@gmail.com>	2026-02-19 15:07:10 +0100
committer	ertopogo <erwin.t.pombett@gmail.com>	2026-02-19 15:07:10 +0100
commit	202f3256fa1bb60a72322ca1c4c3b5e6ffca212a (patch)
tree	a8a6a499e9e09dfba327fd4caacb745824c436bb /src
parent	2bd68f0cbce62624ec79350835436afcdfad7471 (diff)