UNPKG

@nosecone/next

Version:

Protect your Next.js application with secure headers

54 lines (53 loc) 2.64 kB
import nosecone, { NoseconeOptions, Options, Options as Options$1, defaults as defaults$1, withVercelToolbar } from "nosecone"; //#region src/index.d.ts type BaseDirectives = (typeof defaults$1)["contentSecurityPolicy"]["directives"]; /** * Nosecone Next.js defaults. * * The type spells out the concrete directive shape rather than the wider * `Options`: consumers extend the defaults by spreading * `defaults.contentSecurityPolicy.directives`, so every directive must stay * a concrete readonly array, as it was before `isolatedDeclarations` required * an explicit annotation here. Everything is derived from `typeof * baseDefaults` so the type cannot drift from the `nosecone` package. */ declare const defaults: Omit<typeof defaults$1, "contentSecurityPolicy"> & { readonly contentSecurityPolicy: { readonly directives: Omit<BaseDirectives, "scriptSrc" | "styleSrc"> & { readonly scriptSrc: readonly (BaseDirectives["scriptSrc"][number] | ReturnType<typeof nextScriptSrc>[number])[]; readonly styleSrc: readonly (BaseDirectives["styleSrc"][number] | ReturnType<typeof nextStyleSrc>[number])[]; }; }; }; declare function createNonce(): `'nonce-${string}'`; declare function nextScriptSrc(): readonly [typeof createNonce, "'unsafe-eval'"] | readonly [typeof createNonce]; /** * Get the `Content-Security-Policy` nonce for the current request. * * Nosecone generates a unique nonce for every request when the * `Content-Security-Policy` is configured with our defaults. Next.js applies * that nonce to the scripts it renders automatically, but third-party scripts * that do not use the Next.js `<Script>` component need the value passed in * manually. For example, PostHog requires the nonce in its `init` call. * * Call this from a Server Component, Route Handler, or anywhere else * `next/headers` is available. The page must be dynamically rendered for the * nonce to be available — see the example in the `README`. * * @returns * The nonce for the current request, or `undefined` if the * `Content-Security-Policy` is disabled or does not contain a nonce. */ declare function nonce(): Promise<string | undefined>; declare function nextStyleSrc(): readonly ["'unsafe-inline'"]; /** * Create Next.js middleware that sets secure headers on every request. * * @param options * Configuration to provide to Nosecone. * @returns * Next.js middleware that sets secure headers. */ declare function createMiddleware(options?: Options$1): () => Promise<Response>; //#endregion export { type NoseconeOptions, type Options, createMiddleware, nosecone as default, nosecone, defaults, nonce, withVercelToolbar };