Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
bfdf0a82da7cb3e9fa7e33d933aa8633112ac580
Nexus/apps/web/src/middleware.ts
T
Hartmut bfdf0a82da security/platform: close audit findings #19–#26 
Tests, CSP nonce middleware, SSRF guard, perf-route hardening,
Docker env isolation, migration runbook, RBAC E2E coverage.

Tickets resolved:
- #19: MfaSetup.test.ts — static source tests confirming local QR rendering
- #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix
- #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed
- #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests);
       layout.tsx async + nonce prop; CSP removed from next.config.ts
- #23: Active-session registry enforcement verified (already in codebase)
- #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution)
- #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created
- #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures)

Quality gates: tsc clean, api 1447/1447, web 189/189 passing.
Turbo concurrency capped at 2 (package.json) to prevent OOM under
parallel test runs.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 22:14:20 +02:00

49 lines
1.6 KiB
TypeScript
Raw Blame History

import { NextRequest, NextResponse } from "next/server";
function buildCsp(nonce: string, isProd: boolean): string {
const scriptSrc = isProd
? `'self' 'nonce-${nonce}'`
: `'self' 'unsafe-eval' 'unsafe-inline'`;
const imgSrc = isProd ? "'self' data: blob:" : "'self' data: blob: https:";
return [
"default-src 'self'",
`script-src ${scriptSrc}`,
"style-src 'self' 'unsafe-inline'",
`img-src ${imgSrc}`,
"font-src 'self' data:",
"connect-src 'self' https://generativelanguage.googleapis.com https://*.openai.com https://*.azure.com",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
].join("; ");
}
export function middleware(request: NextRequest): NextResponse {
// Generate a cryptographically random nonce for this request
const nonceBytes = new Uint8Array(16);
crypto.getRandomValues(nonceBytes);
const nonce = btoa(String.fromCharCode(...nonceBytes));
const isProd = process.env.NODE_ENV === "production";
const csp = buildCsp(nonce, isProd);
// Forward nonce to server components via request header
const requestHeaders = new Headers(request.headers);
requestHeaders.set("x-nonce", nonce);
requestHeaders.set("Content-Security-Policy", csp);
const response = NextResponse.next({ request: { headers: requestHeaders } });
response.headers.set("Content-Security-Policy", csp);
return response;
}
export const config = {
matcher: [
// Apply to all routes except Next.js internals and static assets
"/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
],
};
Reference in New Issue View Git Blame Copy Permalink