SuperStarter使用Nosecone来设置与安全相关的HTTP响应头。
以下是已启用的头信息:
Cross-Origin-Embedder-Policy (COEP)Cross-Origin-Opener-PolicyCross-Origin-Resource-PolicyOrigin-Agent-ClusterReferrer-PolicyStrict-Transport-Security (HSTS)X-Content-Type-OptionsX-DNS-Prefetch-ControlX-Download-OptionsX-Frame-OptionsX-Permitted-Cross-Domain-PoliciesX-XSS-Protection
有关每个头信息和配置选项的详细信息,请参阅Nosecone参考文档。
推荐的头信息默认已设置并配置在zh/@repo/security/middleware中。更改此处的配置将影响所有应用。
然后这些头信息会在中间件中附加到响应中,位于zh/apps/app/middleware和zh/apps/web/middleware.ts。调整这些文件中的配置只会影响特定的应用。
内容安全策略(CSP)
CSP头信息默认未设置,因为它需要根据您启用的SuperStarter功能进行特定配置。
在此期间,您可以使用Nosecone配置来设置CSP头信息。例如,以下CSP配置将与默认的SuperStarter功能配合使用:
import type { NoseconeOptions } from '@nosecone/next';
import { defaults as noseconeDefaults } from '@nosecone/next';
const noseconeOptions: NoseconeOptions = {
...noseconeDefaults,
contentSecurityPolicy: {
...noseconeDefaults.contentSecurityPolicy,
directives: {
...noseconeDefaults.contentSecurityPolicy.directives,
scriptSrc: [
// We have to use unsafe-inline because next-themes and Vercel Analytics
// do not support nonce
// https://github.com/pacocoursey/next-themes/issues/106
// https://github.com/vercel/analytics/issues/122
//...noseconeDefaults.contentSecurityPolicy.directives.scriptSrc,
"'self'",
"'unsafe-inline'",
"https://www.googletagmanager.com",
"https://*.clerk.accounts.dev",
"https://va.vercel-scripts.com",
],
connectSrc: [
...noseconeDefaults.contentSecurityPolicy.directives.connectSrc,
"https://*.clerk.accounts.dev",
"https://*.google-analytics.com",
"https://clerk-telemetry.com",
],
workerSrc: [
...noseconeDefaults.contentSecurityPolicy.directives.workerSrc,
"blob:",
"https://*.clerk.accounts.dev"
],
imgSrc: [
...noseconeDefaults.contentSecurityPolicy.directives.imgSrc,
"https://img.clerk.com"
],
objectSrc: [
...noseconeDefaults.contentSecurityPolicy.directives.objectSrc,
],
// We only set this in production because the server may be started
// without HTTPS
upgradeInsecureRequests: process.env.NODE_ENV === "production",
},
},
}
