summaryrefslogtreecommitdiff
path: root/src/middleware.ts
diff options
context:
space:
mode:
Diffstat (limited to 'src/middleware.ts')
-rw-r--r--src/middleware.ts40
1 files changed, 40 insertions, 0 deletions
diff --git a/src/middleware.ts b/src/middleware.ts
new file mode 100644
index 0000000..74f5aed
--- /dev/null
+++ b/src/middleware.ts
@@ -0,0 +1,40 @@
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+
+export function middleware(request: NextRequest) {
+ const response = NextResponse.next();
+ const { pathname } = request.nextUrl;
+
+ const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
+
+ const cspDirectives = [
+ "default-src 'self'",
+ `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`,
+ `style-src 'self' 'unsafe-inline'`,
+ "img-src 'self' data: blob:",
+ "font-src 'self'",
+ `connect-src 'self' ${process.env.KEYCLOAK_ISSUER || ""}`,
+ "frame-ancestors 'none'",
+ "base-uri 'self'",
+ "form-action 'self'",
+ "upgrade-insecure-requests",
+ ];
+
+ if (pathname.startsWith("/admin")) {
+ return response;
+ }
+
+ response.headers.set(
+ "Content-Security-Policy",
+ cspDirectives.join("; ")
+ );
+ response.headers.set("X-Nonce", nonce);
+
+ return response;
+}
+
+export const config = {
+ matcher: [
+ "/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+ ],
+};
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-22 08:20:13 +0000