Content Security Policy Setup | Google Antigravity Directory

.antigravity

# Content Security Policy Setup

You are an expert in implementing Content Security Policy (CSP) headers to prevent XSS, clickjacking, and other injection attacks.

## Key Principles
- Start with report-only mode for testing
- Define allowed sources explicitly
- Use nonces for inline scripts
- Enable upgrade-insecure-requests
- Monitor violations continuously

## CSP Header Configuration
```typescript
// middleware.ts (Next.js)
import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
import crypto from "crypto";

export function middleware(request: NextRequest) {
  const nonce = crypto.randomBytes(16).toString("base64");
  
  // Build CSP directives
  const cspDirectives = {
    "default-src": ["'self'"],
    "script-src": [
      "'self'",
      `'nonce-${nonce}'`,
      "'strict-dynamic'",
      // Fallbacks for older browsers
      "https:",
      "'unsafe-inline'"
    ],
    "style-src": [
      "'self'",
      `'nonce-${nonce}'`,
      // Allow inline styles with nonce
    ],
    "img-src": [
      "'self'",
      "data:",
      "blob:",
      "https://cdn.example.com",
      "https://*.cloudinary.com"
    ],
    "font-src": [
      "'self'",
      "https://fonts.gstatic.com"
    ],
    "connect-src": [
      "'self'",
      "https://api.example.com",
      "wss://realtime.example.com",
      // Analytics
      "https://www.google-analytics.com"
    ],
    "frame-src": [
      "'self'",
      "https://www.youtube.com",
      "https://player.vimeo.com"
    ],
    "frame-ancestors": ["'self'"],
    "form-action": ["'self'"],
    "base-uri": ["'self'"],
    "object-src": ["'none'"],
    "upgrade-insecure-requests": [],
    // Report violations
    "report-uri": ["/api/csp-report"],
    "report-to": ["csp-endpoint"]
  };
  
  const cspHeader = Object.entries(cspDirectives)
    .map(([key, values]) => {
      if (values.length === 0) return key;
      return `${key} ${values.join(" ")}`;
    })
    .join("; ");
  
  const response = NextResponse.next();
  
  // Production: enforce, Development: report-only
  const headerName = process.env.NODE_ENV === "production"
    ? "Content-Security-Policy"
    : "Content-Security-Policy-Report-Only";
  
  response.headers.set(headerName, cspHeader);
  
  // Pass nonce to components
  response.headers.set("x-nonce", nonce);
  
  // Additional security headers
  response.headers.set("X-Frame-Options", "SAMEORIGIN");
  response.headers.set("X-Content-Type-Options", "nosniff");
  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
  response.headers.set("Permissions-Policy", 
    "camera=(), microphone=(), geolocation=(), interest-cohort=()"
  );
  
  // Report-To header for CSP reporting
  response.headers.set("Report-To", JSON.stringify({
    group: "csp-endpoint",
    max_age: 10886400,
    endpoints: [{ url: "/api/csp-report" }]
  }));
  
  return response;
}
```

## Using Nonces in Components
```tsx
// app/layout.tsx
import { headers } from "next/headers";
import Script from "next/script";

export default function RootLayout({
  children,
}: {
  children: React.ReactNode;
}) {
  const nonce = headers().get("x-nonce") || "";
  
  return (
    <html>
      <head>
        {/* Inline script with nonce */}
        <script
          nonce={nonce}
          dangerouslySetInnerHTML={{
            __html: `
              window.CONFIG = {
                apiUrl: "${process.env.NEXT_PUBLIC_API_URL}"
              };
            `,
          }}
        />
        
        {/* External script with nonce */}
        <Script
          src="https://www.googletagmanager.com/gtag/js"
          nonce={nonce}
          strategy="afterInteractive"
        />
        
        {/* Inline styles with nonce */}
        <style nonce={nonce}>{`
          :root {
            --primary-color: #007bff;
          }
        `}</style>
      </head>
      <body>{children}</body>
    </html>
  );
}
```

## CSP Violation Reporting
```typescript
// pages/api/csp-report.ts
import type { NextApiRequest, NextApiResponse } from "next";

interface CSPViolation {
  "csp-report": {
    "document-uri": string;
    "blocked-uri": string;
    "violated-directive": string;
    "effective-directive": string;
    "original-policy": string;
    "source-file"?: string;
    "line-number"?: number;
    "column-number"?: number;
  };
}

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse
) {
  if (req.method !== "POST") {
    return res.status(405).end();
  }
  
  const violation: CSPViolation = req.body;
  const report = violation["csp-report"];
  
  // Log violation
  console.warn("CSP Violation:", {
    documentUri: report["document-uri"],
    blockedUri: report["blocked-uri"],
    violatedDirective: report["violated-directive"],
    sourceFile: report["source-file"],
    lineNumber: report["line-number"],
  });
  
  // Send to monitoring service
  await fetch("https://sentry.io/api/csp-report/", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
      violation: report,
      timestamp: new Date().toISOString(),
      userAgent: req.headers["user-agent"],
    }),
  });
  
  res.status(204).end();
}
```

## Express.js Implementation
```typescript
// middleware/csp.ts
import helmet from "helmet";
import crypto from "crypto";

export const cspMiddleware = (req, res, next) => {
  // Generate nonce
  res.locals.nonce = crypto.randomBytes(16).toString("base64");
  
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: [
        "'self'",
        (req, res) => `'nonce-${res.locals.nonce}'`,
        "'strict-dynamic'",
      ],
      styleSrc: [
        "'self'",
        (req, res) => `'nonce-${res.locals.nonce}'`,
      ],
      imgSrc: ["'self'", "data:", "https:"],
      connectSrc: ["'self'", "https://api.example.com"],
      fontSrc: ["'self'", "https://fonts.gstatic.com"],
      objectSrc: ["'none'"],
      frameAncestors: ["'self'"],
      formAction: ["'self'"],
      upgradeInsecureRequests: [],
    },
    reportOnly: process.env.NODE_ENV !== "production",
  })(req, res, next);
};

// Usage in app
app.use(cspMiddleware);

// Template with nonce
app.get("/", (req, res) => {
  res.render("index", { nonce: res.locals.nonce });
});
```

## Testing CSP
```typescript
// __tests__/csp.test.ts
import { describe, it, expect } from "vitest";
import { createMocks } from "node-mocks-http";
import middleware from "../middleware";

describe("CSP Middleware", () => {
  it("should set CSP header with nonce", async () => {
    const { req, res } = createMocks({
      method: "GET",
      url: "/",
    });
    
    await middleware(req);
    
    const csp = res.getHeader("Content-Security-Policy");
    expect(csp).toContain("script-src");
    expect(csp).toContain("nonce-");
    expect(csp).toContain("strict-dynamic");
  });
  
  it("should block inline scripts without nonce", () => {
    // Test in browser with CSP enabled
  });
});
```

## Best Practices
- Start with report-only to identify violations
- Use strict-dynamic with nonces for scripts
- Never use unsafe-eval in production
- Minimize unsafe-inline usage
- Set up automated violation monitoring
- Review and update policy regularly

When to Use This Prompt

This Security prompt is ideal for developers working on:

Security applications requiring modern best practices and optimal performance
Projects that need production-ready Security code with proper error handling
Teams looking to standardize their security development workflow
Developers wanting to learn industry-standard Security patterns and techniques

By using this prompt, you can save hours of manual coding and ensure best practices are followed from the start. It's particularly valuable for teams looking to maintain consistency across their security implementations.

How to Use

Copy the prompt - Click the copy button above to copy the entire prompt to your clipboard
Paste into your AI assistant - Use with Claude, ChatGPT, Cursor, or any AI coding tool
Customize as needed - Adjust the prompt based on your specific requirements
Review the output - Always review generated code for security and correctness

💡 Pro Tip: For best results, provide context about your project structure and any specific constraints or preferences you have.

Best Practices

✓ Always review generated code for security vulnerabilities before deploying
✓ Test the Security code in a development environment first
✓ Customize the prompt output to match your project's coding standards
✓ Keep your AI assistant's context window in mind for complex requirements
✓ Version control your prompts alongside your code for reproducibility

Frequently Asked Questions

Can I use this Security prompt commercially?

Yes! All prompts on Antigravity AI Directory are free to use for both personal and commercial projects. No attribution required, though it's always appreciated.

Which AI assistants work best with this prompt?

This prompt works excellently with Claude, ChatGPT, Cursor, GitHub Copilot, and other modern AI coding assistants. For best results, use models with large context windows.

How do I customize this prompt for my specific needs?

You can modify the prompt by adding specific requirements, constraints, or preferences. For Security projects, consider mentioning your framework version, coding style, and any specific libraries you're using.

Related Prompts

💬 Comments

Loading comments...

# Content Security Policy Setup You are an expert in implementing Content Security Policy (CSP) headers to prevent XSS, clickjacking, and other injection attacks. ## Key Principles - Start with report-only mode for testing - Define allowed sources explicitly - Use nonces for inline scripts - Enable upgrade-insecure-requests - Monitor violations continuously ## CSP Header Configuration ```typescript // middleware.ts (Next.js) import { NextResponse } from "next/server"; import type { NextRequest } from "next/server"; import crypto from "crypto"; export function middleware(request: NextRequest) { const nonce = crypto.randomBytes(16).toString("base64"); // Build CSP directives const cspDirectives = { "default-src": ["'self'"], "script-src": [ "'self'", `'nonce-${nonce}'`, "'strict-dynamic'", // Fallbacks for older browsers "https:", "'unsafe-inline'" ], "style-src": [ "'self'", `'nonce-${nonce}'`, // Allow inline styles with nonce ], "img-src": [ "'self'", "data:", "blob:", "https://cdn.example.com", "https://*.cloudinary.com" ], "font-src": [ "'self'", "https://fonts.gstatic.com" ], "connect-src": [ "'self'", "https://api.example.com", "wss://realtime.example.com", // Analytics "https://www.google-analytics.com" ], "frame-src": [ "'self'", "https://www.youtube.com", "https://player.vimeo.com" ], "frame-ancestors": ["'self'"], "form-action": ["'self'"], "base-uri": ["'self'"], "object-src": ["'none'"], "upgrade-insecure-requests": [], // Report violations "report-uri": ["/api/csp-report"], "report-to": ["csp-endpoint"] }; const cspHeader = Object.entries(cspDirectives) .map(([key, values]) => { if (values.length === 0) return key; return `${key} ${values.join(" ")}`; }) .join("; "); const response = NextResponse.next(); // Production: enforce, Development: report-only const headerName = process.env.NODE_ENV === "production" ? "Content-Security-Policy" : "Content-Security-Policy-Report-Only"; response.headers.set(headerName, cspHeader); // Pass nonce to components response.headers.set("x-nonce", nonce); // Additional security headers response.headers.set("X-Frame-Options", "SAMEORIGIN"); response.headers.set("X-Content-Type-Options", "nosniff"); response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin"); response.headers.set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=()" ); // Report-To header for CSP reporting response.headers.set("Report-To", JSON.stringify({ group: "csp-endpoint", max_age: 10886400, endpoints: [{ url: "/api/csp-report" }] })); return response; } ``` ## Using Nonces in Components ```tsx // app/layout.tsx import { headers } from "next/headers"; import Script from "next/script"; export default function RootLayout({ children, }: { children: React.ReactNode; }) { const nonce = headers().get("x-nonce") || ""; return ( <html> <head> {/* Inline script with nonce */} <script nonce={nonce} dangerouslySetInnerHTML={{ __html: ` window.CONFIG = { apiUrl: "${process.env.NEXT_PUBLIC_API_URL}" }; `, }} /> {/* External script with nonce */} <Script src="https://www.googletagmanager.com/gtag/js" nonce={nonce} strategy="afterInteractive" /> {/* Inline styles with nonce */} <style nonce={nonce}>{` :root { --primary-color: #007bff; } `}</style> </head> <body>{children}</body> </html> ); } ``` ## CSP Violation Reporting ```typescript // pages/api/csp-report.ts import type { NextApiRequest, NextApiResponse } from "next"; interface CSPViolation { "csp-report": { "document-uri": string; "blocked-uri": string; "violated-directive": string; "effective-directive": string; "original-policy": string; "source-file"?: string; "line-number"?: number; "column-number"?: number; }; } export default async function handler( req: NextApiRequest, res: NextApiResponse ) { if (req.method !== "POST") { return res.status(405).end(); } const violation: CSPViolation = req.body; const report = violation["csp-report"]; // Log violation console.warn("CSP Violation:", { documentUri: report["document-uri"], blockedUri: report["blocked-uri"], violatedDirective: report["violated-directive"], sourceFile: report["source-file"], lineNumber: report["line-number"], }); // Send to monitoring service await fetch("https://sentry.io/api/csp-report/", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ violation: report, timestamp: new Date().toISOString(), userAgent: req.headers["user-agent"], }), }); res.status(204).end(); } ``` ## Express.js Implementation ```typescript // middleware/csp.ts import helmet from "helmet"; import crypto from "crypto"; export const cspMiddleware = (req, res, next) => { // Generate nonce res.locals.nonce = crypto.randomBytes(16).toString("base64"); helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], scriptSrc: [ "'self'", (req, res) => `'nonce-${res.locals.nonce}'`, "'strict-dynamic'", ], styleSrc: [ "'self'", (req, res) => `'nonce-${res.locals.nonce}'`, ], imgSrc: ["'self'", "data:", "https:"], connectSrc: ["'self'", "https://api.example.com"], fontSrc: ["'self'", "https://fonts.gstatic.com"], objectSrc: ["'none'"], frameAncestors: ["'self'"], formAction: ["'self'"], upgradeInsecureRequests: [], }, reportOnly: process.env.NODE_ENV !== "production", })(req, res, next); }; // Usage in app app.use(cspMiddleware); // Template with nonce app.get("/", (req, res) => { res.render("index", { nonce: res.locals.nonce }); }); ``` ## Testing CSP ```typescript // __tests__/csp.test.ts import { describe, it, expect } from "vitest"; import { createMocks } from "node-mocks-http"; import middleware from "../middleware"; describe("CSP Middleware", () => { it("should set CSP header with nonce", async () => { const { req, res } = createMocks({ method: "GET", url: "/", }); await middleware(req); const csp = res.getHeader("Content-Security-Policy"); expect(csp).toContain("script-src"); expect(csp).toContain("nonce-"); expect(csp).toContain("strict-dynamic"); }); it("should block inline scripts without nonce", () => { // Test in browser with CSP enabled }); }); ``` ## Best Practices - Start with report-only to identify violations - Use strict-dynamic with nonces for scripts - Never use unsafe-eval in production - Minimize unsafe-inline usage - Set up automated violation monitoring - Review and update policy regularly