Update 15-content-security-policy.mdx

timneutkens · web-flow · commit af2c3f71bf6d · 2023-11-10T14:28:43.000+01:00
Ensures the CSP header is still set on the response.
diff --git a/docs/02-app/01-building-your-application/07-configuring/15-content-security-policy.mdx b/docs/02-app/01-building-your-application/07-configuring/15-content-security-policy.mdx
@@ -54,20 +54,31 @@ export function middleware(request: NextRequest){
 block-all-mixed-content;
 upgrade-insecure-requests;
 `
+ // Replace newline characters and spaces
+ const contentSecurityPolicyHeaderValue = cspHeader
+ .replace(/\s{2,}/g, ' ')
+ .trim()
 
 const requestHeaders = new Headers(request.headers)
 requestHeaders.set('x-nonce', nonce)
+
 requestHeaders.set(
 'Content-Security-Policy',
- // Replace newline characters and spaces
- cspHeader.replace(/\s{2,}/g, ' ').trim()
+ contentSecurityPolicyHeaderValue
 )
 
- return NextResponse.next({
+ const response = NextResponse.next({
+ headers: requestHeaders,
 request:{
 headers: requestHeaders,
 },
 })
+ response.headers.set(
+ 'Content-Security-Policy',
+ contentSecurityPolicyHeaderValue
+ )
+
+ return response
 }
 ```
 
@@ -89,21 +100,30 @@ export function middleware(request){
 block-all-mixed-content;
 upgrade-insecure-requests;
 `
+ // Replace newline characters and spaces
+ const contentSecurityPolicyHeaderValue = cspHeader
+ .replace(/\s{2,}/g, ' ')
+ .trim()
 
 const requestHeaders = new Headers(request.headers)
 requestHeaders.set('x-nonce', nonce)
 requestHeaders.set(
 'Content-Security-Policy',
- // Replace newline characters and spaces
- cspHeader.replace(/\s{2,}/g, ' ').trim()
+ contentSecurityPolicyHeaderValue
 )
 
- return NextResponse.next({
+ const response = NextResponse.next({
 headers: requestHeaders,
 request:{
 headers: requestHeaders,
 },
 })
+ response.headers.set(
+ 'Content-Security-Policy',
+ contentSecurityPolicyHeaderValue
+ )
+
+ return response
 }
 ```
 
