- group csp rules into object with description field as a means of documenting what needs specific rules
- abstract out some security best practices that can be shared with multiple projects
Read the documentation
[ ] review with-csp and use in middleware vs next.config.mjs
- only supported raw list of CSP whitelist but I wanted tracking per 3rd party
- to only add CSP on routes that needed it
- to know why things were being added and minimize risk of orphaning
- no longer maintained
- didn't seem to support app directory
- Next > 13.4.4 issues (possibly workaround nibtime/next-safe-middleware#96 (comment))
with-csp next.js has had work in 13.5 to improve dynamic csp
- unclear how static pages should be protected
- Using latest module and target settings for current LTS
- using tsc for types until bun support comes around
Using changesets so please remember to run "changeset" with any PR.
Give consideration for the summary as it is what will show up in the changelog.