一键导入
security-headers-csp
Guide for CSP, security headers, and external scripts. Use fetchWithHmac for APIs, safeFetch for external services.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Guide for CSP, security headers, and external scripts. Use fetchWithHmac for APIs, safeFetch for external services.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | security-headers-csp |
| description | Guide for CSP, security headers, and external scripts. Use fetchWithHmac for APIs, safeFetch for external services. |
Guide for managing Content Security Policy (CSP), security headers, and safe external script loading.
This project uses a relaxed CSP policy with host allowlisting:
'unsafe-inline' for inline scripts and JSON-LDThe following domains are trusted in script-src and script-src-elem:
| Domain | Purpose |
|---|---|
googletagmanager.com | Google Tag Manager |
google-analytics.com | Google Analytics |
googlesyndication.com | Google Ads |
googleadservices.com | Google Ads conversion |
fundingchoicesmessages.google.com | Google consent |
www.gstatic.com | Google static assets |
tpc.googlesyndication.com | Ad personalization |
import Script from "next/script";
// ✅ CORRECT - afterInteractive for most scripts
<Script
src="https://example.com/script.js"
strategy="afterInteractive"
/>
// ✅ CORRECT - lazyOnload for non-critical analytics
<Script
src="https://www.googletagmanager.com/gtag/js?id=GA_ID"
strategy="lazyOnload"
/>
| Strategy | When to Use |
|---|---|
afterInteractive | Default for most scripts |
lazyOnload | Non-critical analytics, helps Core Web Vitals |
beforeInteractive | Critical scripts (rarely needed) |
Due to relaxed CSP, scripts work without nonce props:
// ✅ CORRECT - No nonce needed
<Script src="https://trusted.com/script.js" strategy="afterInteractive" />
// ❌ UNNECESSARY - Don't add nonce
<Script src="https://trusted.com/script.js" nonce={nonce} />
JSON-LD is rendered server-side via JsonLdServer component:
import { JsonLdServer } from "@components/partials/JsonLdServer";
// ✅ CORRECT - Server-rendered, no nonce needed
<JsonLdServer data={structuredData} />;
The component:
</script> and < to prevent XSSThe proxy middleware (proxy.ts) injects these headers:
// Key security headers
"X-Content-Type-Options": "nosniff"
"X-Frame-Options": "DENY"
"X-XSS-Protection": "1; mode=block" // Deprecated but harmless - see note below
"Referrer-Policy": "strict-origin-when-cross-origin"
"Permissions-Policy": "camera=(), microphone=(), geolocation=(self)"
Note:
X-XSS-Protectionis deprecated. Chrome removed XSS Auditor in 2019, and modern browsers ignore this header. It's kept for legacy browser compatibility but provides no security benefit in current browsers. The real XSS protection comes from CSP and proper output escaping.
If you need to add a new external service:
Evaluate necessity - Is it really needed?
Add to CSP in proxy.ts:
// Find the CSP construction in proxy.ts
const csp = [
// ... existing directives
`script-src 'self' 'unsafe-inline' https://newdomain.com`,
].join("; ");
Document the purpose in this skill file
Test in development before deploying
All internal API calls use HMAC signing:
import { fetchWithHmac } from "@lib/api/fetch-wrapper";
// ✅ CORRECT - Uses HMAC signing with timeout
const data = await fetchWithHmac("/api/events");
// ❌ WRONG - Raw fetch without security
const data = await fetch("/api/events");
The fetchWithHmac function:
For external webhooks/services, use safe fetch utilities:
import { safeFetch, fireAndForgetFetch } from "@utils/safe-fetch";
// ✅ For external services with response handling
const result = await safeFetch("https://webhook.example.com/notify", {
method: "POST",
body: JSON.stringify(data),
});
// ✅ For fire-and-forget notifications
await fireAndForgetFetch("https://webhook.example.com/ping");
Features:
For a cultural events site with:
Relaxed CSP enables better performance while maintaining security through host allowlisting.
fetchWithHmacsafeFetch or fireAndForgetFetchJsonLdServer componentproxy.tsfetchWithHmacGuide for adding environment variables. Use when adding new env vars to ensure all 5 locations are updated (code, env files, Coolify, workflow, GitHub secrets).
Enforce the internal API proxy layer pattern. Use when adding API endpoints, fetching data from backend, implementing HMAC signing, or working with lib/api/* or app/api/*.
Best practices for React 19 and Next.js 16 App Router. Use when creating components, hooks, or pages. Enforces server-first rendering, proper client boundaries, and modern React patterns.
MANDATORY checklist before writing ANY new code. Use this skill FIRST before implementing any feature, component, utility, type, or hook. Enforces DRY principle and existing pattern reuse.
Evaluate external PR suggestions (Gemini, CodeRabbit) against project conventions. Use when asked to review or agree with external code review comments.
Enforce URL rules to prevent SEO issues and cost incidents. CRITICAL - never add searchParams to listing pages ($300 incident).