From 76350f5c4f8378e1533a026ff0538ece1032f4bc Mon Sep 17 00:00:00 2001
From: notpua <notpua@iuseotherswifi.why.org>
Date: Sat, 26 Oct 2024 03:05:56 +0530
Subject: [PATCH] security: add more security related headers

---
 src/middleware.js | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/middleware.js b/src/middleware.js
index 8051e4a8..87da02e6 100644
--- a/src/middleware.js
+++ b/src/middleware.js
@@ -10,7 +10,7 @@ export function middleware(req) {
   const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
   const { pathname } = req.nextUrl;
   const cspHeader = `
-    default-src 'self';
+    default-src 'none';
     script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https: http: 'unsafe-inline' ${
       process.env.NODE_ENV === "production" ? "" : `'unsafe-eval'`
     };
@@ -38,6 +38,8 @@ export function middleware(req) {
     "Content-Security-Policy",
     contentSecurityPolicyHeaderValue,
   );
+  requestHeaders.set("X-Content-Type-Options", "nosniff");
+  requestHeaders.set("Referrer-Policy", "strict-origin-when-cross-origin");
 
   const response = NextResponse.next({
     request: {
@@ -48,6 +50,9 @@ export function middleware(req) {
     "Content-Security-Policy",
     contentSecurityPolicyHeaderValue,
   );
+  response.headers.set("X-Content-Type-Options", "nosniff");
+  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+
 
   // if logout cookie is set, log the user out
   if (req.cookies.has("logout")) {
@@ -60,6 +65,8 @@ export function middleware(req) {
       "Content-Security-Policy",
       contentSecurityPolicyHeaderValue,
     );
+    responseRes.headers.set("X-Content-Type-Options", "nosniff");
+    responseRes.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
     return redirectRes;
   }
 
@@ -72,6 +79,8 @@ export function middleware(req) {
       "Content-Security-Policy",
       contentSecurityPolicyHeaderValue,
     );
+    responseRes.headers.set("X-Content-Type-Options", "nosniff");
+    responseRes.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
     return redirectRes;
   }
 
@@ -93,6 +102,8 @@ export function middleware(req) {
       "Content-Security-Policy",
       contentSecurityPolicyHeaderValue,
     );
+    responseRes.headers.set("X-Content-Type-Options", "nosniff");
+    responseRes.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
     return redirectRes;
   }
 
@@ -113,6 +124,8 @@ export function middleware(req) {
       "Content-Security-Policy",
       contentSecurityPolicyHeaderValue,
     );
+    responseRes.headers.set("X-Content-Type-Options", "nosniff");
+    responseRes.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
     return redirectRes;
   }
 
@@ -124,6 +137,8 @@ export function middleware(req) {
       "Content-Security-Policy",
       contentSecurityPolicyHeaderValue,
     );
+    responseRes.headers.set("X-Content-Type-Options", "nosniff");
+    responseRes.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
     return redirectRes;
   }