Skip to content

Comments

Add Content Security Policy Header#342

Open
runemadsen wants to merge 5 commits intomainfrom
csp
Open

Add Content Security Policy Header#342
runemadsen wants to merge 5 commits intomainfrom
csp

Conversation

@runemadsen
Copy link
Collaborator

@runemadsen runemadsen commented Feb 19, 2026

This PR adds a Content-Security-Policy header to all responses from the documentation website. This implementation is based on the approach in cloudsmith-web-app with a few differences:

  1. Since this is an entirely static app, we cannot rely on nonce. This means that we need to allow a few unsafer things in this CSP implementation in order to e.g. get inline Next scripts and styles to render.
  2. The syntax highlighting is done via WASM, so we need to enable wasm-unsafe-eval

I'm not entirely sure what Cloudsmith as an organization wants to allow in these headers in order to consider something safe from injection. An alternative is that the site becomes dynamically rendered, making it possible to use nonces everywhere.

I've added @paulmay-cloudsmith and @fdoflorenzano as reviewers. Since this has the ability to break existing scripts on the website, I'd like us to give it a good check before we merge.

@vercel
Copy link

vercel bot commented Feb 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cloudsmith-docs Ready Ready Preview, Comment Feb 19, 2026 9:20am

Request Review

Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Content-Security-Policy (CSP) and Referrer-Policy headers to the documentation website to improve security against injection attacks. Since the site uses static output, the implementation must allow unsafe-inline for scripts and styles, and wasm-unsafe-eval for syntax highlighting via WASM.

Changes:

  • Added new CSP header generation function that dynamically builds policy directives for default security, Cloudsmith API access, Simple Analytics, and Vercel Analytics
  • Configured Next.js to apply CSP and Referrer-Policy headers to all routes
  • Minor refactor: added error parameter name to catch block in highlighter hook (likely for linter compliance)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/lib/csp.ts New file implementing CSP header value generation with configurable directives for various services and optional Sentry reporting
next.config.ts Added async headers() function to apply CSP and Referrer-Policy headers to all routes, plus minor formatting improvements
src/lib/highlight/client.ts Added parameter name to catch block (error parameter unused but named)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@paulmay-cloudsmith
Copy link
Collaborator

paulmay-cloudsmith commented Feb 19, 2026

Hey there; I believe qualified is also (or will be) included in the docs site which will mean allowing for https://js.qualified.com/qualified.js

@runemadsen
Copy link
Collaborator Author

runemadsen commented Feb 19, 2026

Hey there; I believe qualified is also (or will be) included in the docs site which will mean allowing for https://js.qualified.com/qualified.js

Pushed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@fdoflorenzano fdoflorenzano fdoflorenzano approved these changes

@paulmay-cloudsmith paulmay-cloudsmith Awaiting requested review from paulmay-cloudsmith

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@runemadsen @paulmay-cloudsmith @fdoflorenzano