UNPKG

@nosecone/next

Version:

Protect your Next.js application with secure headers

118 lines (87 loc) 3.73 kB
<a href="https://nosecone.com" target="_arcjet-home"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://arcjet.com/logo/arcjet-dark-lockup-voyage-horizontal.svg"> <img src="https://arcjet.com/logo/arcjet-light-lockup-voyage-horizontal.svg" alt="Arcjet Logo" height="128" width="auto"> </picture> </a> # `@nosecone/next` <p> <a href="https://www.npmjs.com/package/@nosecone/next"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://img.shields.io/npm/v/%40nosecone%2Fnext?style=flat-square&label=%E2%9C%A6Aj&labelColor=000000&color=5C5866"> <img alt="npm badge" src="https://img.shields.io/npm/v/%40nosecone%2Fnext?style=flat-square&label=%E2%9C%A6Aj&labelColor=ECE6F0&color=ECE6F0"> </picture> </a> </p> Protect your Next.js application with secure headers. - [npm package (`@nosecone/next`)](https://www.npmjs.com/package/@nosecone/next) - [GitHub source code (`nosecone-next/` in `arcjet/arcjet-js`)](https://github.com/arcjet/arcjet-js/tree/main/nosecone-next) ## What is this? This is our adapter to integrate Nosecone into Next.js. Nosecone makes it easy to add and configure security headers. This package exists so that we can provide the best possible experience to Next users. ## When should I use this? You can use this package with or without Arcjet to protect your app if you are using Next.js. Use [`@nosecone/sveltekit`][github-nosecone-sveltekit] if you use Sveltekit and use [`nosecone`][github-nosecone] itself if you use a different framework. ## Install This package is ESM only. Install with npm in Node.js: ```sh npm install @nosecone/next ``` ## Use Configure Nosecone in a `middleware.ts` file: ```ts import { createMiddleware } from "@nosecone/next"; export const config = { // matcher tells Next.js to run middleware on all routes matcher: ["/(.*)"], }; export default createMiddleware(); ``` …then use `connection` from `next/server` in `app/layout.tsx`: ```diff +import { connection } from "next/server"; export default async function RootLayout({ children, }: { children: React.ReactNode; }) { + // Opt-out of static generation for every page so the CSP nonce can be applied + await connection() return ( <html lang="en"> <body className={inter.className}>{children}</body> </html> ); } ``` ### Accessing the nonce When the `Content-Security-Policy` is enabled, Nosecone generates a unique nonce for every request. Next.js applies it to the scripts it renders automatically, but third-party scripts that don't use the Next.js `<Script>` component need the nonce passed in manually. For example, [PostHog](https://posthog.com/docs/libraries/next-js) requires the nonce in its `init` call. Use the `nonce` function to read the nonce for the current request from a Server Component, Route Handler, or anywhere else `next/headers` is available: ```tsx import { nonce } from "@nosecone/next"; export default async function Page() { const cspNonce = await nonce(); return <script nonce={cspNonce}>{`/* ... */`}</script>; } ``` The page must be dynamically rendered for the nonce to be available, which is the same requirement as applying the nonce to Next.js scripts (see the `app/layout.tsx` example above). `nonce` returns `undefined` if the `Content-Security-Policy` is disabled or doesn't contain a nonce. ## License [Apache License, Version 2.0][apache-license] © [Arcjet Labs, Inc.][arcjet] [apache-license]: http://www.apache.org/licenses/LICENSE-2.0 [arcjet]: https://arcjet.com [github-nosecone-sveltekit]: https://github.com/arcjet/arcjet-js/tree/main/nosecone-sveltekit [github-nosecone]: https://github.com/arcjet/arcjet-js/tree/main/nosecone