feat(docs): add CSP

Author: branko-stripe

apps/docs/src/middleware.ts

@@ -0,0 +1,59 @@
+import { NextResponse, type NextRequest } from "next/server";
+
+export function middleware(request: NextRequest) {
+  const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
+
+  const cspHeader = `
+    default-src 'self';
+    script-src 'self' 'nonce-${nonce}' 'strict-dynamic';
+    style-src 'self' 'nonce-${nonce}';
+    img-src 'self' blob: data:;
+    font-src 'self';
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    upgrade-insecure-requests;
+`;
+
+  // Replace newline characters and spaces
+  const contentSecurityPolicyHeaderValue = cspHeader.replace(/\s{2,}/g, " ").trim();
+
+  const requestHeaders = new Headers(request.headers);
+  requestHeaders.set("x-nonce", nonce);
+
+  if (process.env.NODE_ENV === "production") {
+    requestHeaders.set("Content-Security-Policy", contentSecurityPolicyHeaderValue);
+  }
+
+  const response = NextResponse.next({
+    request: {
+      headers: requestHeaders,
+    },
+  });
+
+  if (process.env.NODE_ENV === "production") {
+    response.headers.set("Content-Security-Policy", contentSecurityPolicyHeaderValue);
+  }
+
+  return response;
+}
+
+export const config = {
+  matcher: [
+    /*
+     * Match all request paths except for the ones starting with:
+     * - api (API routes)
+     * - _next/static (static files)
+     * - _next/image (image optimization files)
+     * - favicon.ico (favicon file)
+     */
+    {
+      source: "/((?!api|_next/static|_next/image|favicon.ico).*)",
+      missing: [
+        { type: "header", key: "next-router-prefetch" },
+        { type: "header", key: "purpose", value: "prefetch" },
+      ],
+    },
+  ],
+};

turbo.json

@@ -31,7 +31,8 @@
         "NEXT_PUBLIC_DOCSEARCH_INDEX_NAME",
         "WEBFLOW_API_KEY",
         "WEBFLOW_BLOG_ID",
-        "WEBFLOW_CASE_STUDIES_ID"
+        "WEBFLOW_CASE_STUDIES_ID",
+        "NODE_ENV"
       ]
     },
     "clean": {