Next.js 13: How to pass nonce as prop so that initial scripts receive it?

[tmb-github]

Describe the feature you'd like to request

In Next.js 12, we simply add a nonce attribute to <Head> and <NextScript> (from "next/document") in _document.js in order for nonces to be written to the initial scripts that Next.js creates. In Next.js 13, adding those elements from next/document has been eliminated in the new app paradigm, and Next seemingly does it in the background.

Please clarify where we pass a nonce as a prop so that Next 13 adds the nonce to the initial scripts.

Describe the solution you'd like

Clarification on the above matter.

Describe alternatives you've considered

I cannot see how it can be done provided the current design pattern.

[mlbiche]

@tmb-github Have you figured out how to do it? We are struggling with CSP due to this missing nonce. 😕

[tmb-github]

@mlbiche Yes, I send all of the security headers in next.config.js, in an async headers() function in the nextConfig object. See this article for the syntax. Next, in every page.js file in the app folder, I include const generatedNonce = process.env.generatedNonce; before the JSX return, and in the JSX I write a <Head nonce={generatedNonce}></Head> that returns the custom Head element that I use from page to page, whose tag values change page-by-page according to what's needed in it. Please let me know if you need more clarification.

[mlbiche]

@tmb-github Thanks for the explanations. But, I don't understand how you provide the per-page generated nonce in the CSP configured in the security headers in next.config.js as those headers seems to be prepared once when starting the app and not before each page request?

[tmb-github]

@mlbiche Sorry about the oversight. Yes, the nonce is generated in the next.config.js and set as an environment variable so it can be retrieved with process.env.generatedNonce. The code I use to do this in next.config.js is:

const nonceGenerator = () => {
  const hash = crypto.createHash("sha256");
  hash.update(v4());
  return hash.digest("base64");
};

const generatedNonce = nonceGenerator();

The generatedNonce is then added to the nextConfig object like this, which makes it available as an environment variable:

const nextConfig = {
[...]
  env: {
    generatedNonce: `${generatedNonce}`,
  },
[...]
};

[hugues-m]

Hi there,
@tmb-github thank you for your reply, I started implementation using your method, but as next.config.js is evaluated only once on server start, the nonce is the same for different page views.

" Nonces should be generated differently each time the page loads" https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce

After looking in next.js source code, the way to implement this it to pass a CSP header to the Request object from the middleware.

// middleware.ts

//...

  const nonce = generateContentSecurityPolicyScriptNonce()
  const cspNonceCondition = `'nonce-${nonce}'`
  
// ...

  const response = NextResponse.next({
    request: {
      headers: new Headers({
        'content-security-policy': securityPolicy,
        // Custom header for use in server component
        'x-mss-script-nonce': nonce,
      }),
    },
  })

// ...

  response.headers.append('Content-Security-Policy-Report-Only', securityPolicy)

// ...
  
return response

Then the nonce is different for each request and Next injects it automatically to its scripts ! (This seems weird and it is not documented but it works as intended by Next)

Then I added 'x-mss-script-nonce' header to get it back in server component (similar to your process.env, but with const nonce = headers().get('x-mss-script-nonce')

Hope this helps !

[hugues-m]

Note that this is not compatible with static site generation as the nonce must be injected for each page view.

[tmb-github]

@hugues-m Thanks for that...although I'm having trouble understanding how to revise my existing next.config.js file to incorporate that design pattern. It currently follows the syntax here: https://nextjs.org/docs/api-reference/next.config.js/headers How would I revise that to incorporate the middleware, or would I use it outside next.config.js, and if so, where? (Also, I'm not using TypeScript, so if the code could exclude that, it'd be helpful for me to read.)

[danieltott]

@hugues-m is correct that you need to set the request header in NextReponse.next, but note that you also need to set it as a response header so that it is outputted to the browser!

Here's my middleware function (full source):

export async function middleware(request: NextRequest) {
  // generate CSP and nonce
  const { csp, nonce } = generateCsp();

  // Clone the request headers
  const requestHeaders = new Headers(request.headers);

  // set nonce request header to read in pages if needed
  requestHeaders.set('x-nonce', nonce);

  // set CSP header
  // switching for report-only or regular for repro on
  // https://github.com/vercel/next.js/issues/48966
  const headerKey =
    request.nextUrl.pathname === '/csp-report-only'
      ? 'content-security-policy-report-only'
      : 'content-security-policy';

  // Set the CSP header so that `app-render` can read it and generate tags with the nonce
  requestHeaders.set(headerKey, csp);

  // create new response
  const response = NextResponse.next({
    request: {
      // New request headers
      headers: requestHeaders,
    },
  });

  // Also set the CSP so that it is outputted to the browser
  response.headers.set(headerKey, csp);

  return response;
}

You can see this working here: https://nextjs-csp-report-only.vercel.app/csp

Repo: https://github.com/Sprokets/nextjs-csp-report-only

Note - you'll need to be on at least Next.js 13.4.0 for this to work (see comment)

[vrajan1981]

Just curious, downloading your example seems to work fine, but only as long as headers() is called. If you remove all references to next/headers import, suddenly the nonce values aren't attached to the scripts anymore. Any idea what might be happening there?

Note: this is after running npm run build then npm run start.

[danieltott]

@vrajan1981 nonce-based values only work on dynamic routes by definition. In my example, calling headers() forced the page into dynamic rendering.

In static rendering, the CSP nonce strategy doesn't apply (or work at all here), since it needs to be different on every page load.

There's currently not any good solutions in nextjs for CSPs on statically-rendered pages.

[sashimigud]

Hello @danieltott, I'm relatively new to next and completely new to the world of CSP so this might be a stupid question, if so I apologize.

I'm using the app directory and as far as I understand per the docs static rendering is the default. I haven't done anything that would make my pages defect from the default, so I assume all my pages are rendered statically.

My app doesn't have user generated content, but there will be a contact-form on it, I'm going to sanitize that input but I would like to have some form of CSP as well. I added some security headers to next.config and tried to add all the hashes that the browser complained about, but there where two hashes that seemed to be generated anew every time I ran "npm run dev", and it also complained about unsafe-eval not being allowed, I assume the problem stems from googles reCaptcha because it is the only thing that seemingly stopped working on my site, even though I explicitly allowed every google and recaptcha url I could find in my CSP. So I started researching the nonce-way of doing things, I found this thread and thought I would try out the middleware solution you provided above.

If I'm correct and all my pages are rendered static, I would have to force dynamic rendering, by either calling headers() in my pages or by using export const dynamic = 'auto/force-dynamic' as stated here My question is (in a rather small app) would it be worth it to force all pages to be rendered dynamically, or would that make rendering significantly slower? I'm at a point where I'm considering not having a CSP or forcing all pages to render dynamically and trying your middleware solution. Thanks for your time, and sorry for the wall of text.

[hypnoboutique]

I'm struggling to find any info about how to implement a nonce for scripts with the App router in Next 13.

Previously, I used a custom document _document.tsx with <Head nonce="replacedInEdge_dontGetMeStarted"> and all scripts automatically included this nonce. Now, the mere inclusion of <Head /> from next/document in my root layout.tsx (as per the docs) results in the error:

Error [TypeError]: (0 , _react.createContext) is not a function

I can't find any documentation about the use of a nonce in Next (possibly since release of 13.4; I must have had something to go on prior to that, since I had this working with the Head component).

A strict CSP is a prerequisite of my application. I'm surprised there aren't more people in the same position.

Any advice or pointers would be hugely appreciated. 🙇‍♂️

[danieltott]

Yeah - see my comment above, and also comments on #43743.

To summarize: there are two parts to this.

• CSP nonces are incompatible with static pages, since they must be different for each request. The content of a statically-generated page is locked at build-time, so adding nonce attributes to scripts won't work.
• The only reasonable solution here is to use a hash in your CSP. However, I haven't been able to find an easy way to accomplish this yet.

My thinking right now is for statically rendered sites that want to use strict-dynamic is to include unsafe-hashes and add hash values for all inline scripts. This theoretically should be possible in a few ways since the values of these are compiled at build-time. However the poking around I've done so far has been fruitless. Middleware craps out trying to read the file system in production. I can imagine some really hacky ways around this, but I have a feeling the real solution here lies somewhere in the black box that is webpack.

[vrajan1981]

Thanks for the replies; I had a blind spot where I didn't see the new app router page components were statically rendered unless you do "something" to make them dynamically rendered. I was assuming they were SSR.

[danieltott]

Totally - it's actually a really nice feature! And you can opt-in to dynamic rendering per route if you want (without calling functions you don't actually need) - this is probably the only viable solution currently until someone who knows webpack comes along.

[vrajan1981]

@danieltott yeah, that should work with us; as we have a strict CSP, we'll just have to live with SSR until a better solution comes along.

[karlhorky]

Added guides for the App Router and the Pages Router here: https://github.com/karlhorky/next-js-tricks#security-headers-including-content-security-policy-csp

[adcichowski]

I have a question, how can I put nonce to _app? Today I use MUI in the dashboard and I need to implement nonce for cache providers.
I create the nonce on each request in middleware, but I can't put the nonce in the _app.tsx
Have anyone some suggestions on how can I implement this?
Should I use getServerSideProps on each page and pass nonce for it?
with _document will not work correctly because is it created in build time.
https://mui.com/material-ui/guides/content-security-policy/

The one option is to change the pages folder to app dir and use get headers in server components

[karlhorky]

Edit, seems like it's possible with Client Context as noted by Daniel below and getServerSideProps as I noted below

Oh, that doesn't sound good, I've added an issue here about that:

• Set context to use getInitialProps nonce in pages karlhorky/next-js-tricks#1

I guess the getInitialProps approach is incompatible with <Link /> - so with the Pages Router you can only get one of the following, not both:

1. Secure CSP with nonce on <Head /> and <NextScript />
2. <Link /> for client side links

If you don't care about <Head /> and <NextScript /> and only want to pass a nonce to a script on the page, then another alternative for the Pages Router would be getServerSideProps

[danieltott]

@adcichowski This is actually possible - since the nonce value is readable at the initial render, you can save it to a ref and then use it client-side. Check out this example - this is working well with links:

https://github.com/danieltott/nextjs-pages-nonce

Note - this (and other nonce-related things) has problems running in dev mode. To see this actually working, you need to build and then start. The dev-mode runner stuff doesn't respect any of the nonce setup.

Here's the important bits:

// in _app.tsx

// get the nonce value from headers
MyApp.getInitialProps = async (
  Context: AppContext
): Promise<Props & AppInitialProps> => {
  const props = await App.getInitialProps(Context);
  const { ctx } = Context;
  const nonce = ctx.req?.headers?.['x-nonce'] as string | undefined;

  return {
    ...props,
    nonce,
  };
};

// main render:
export default function MyApp({
  Component,
  pageProps,
  nonce,
}: Props & AppProps) {
  const nonceRef = useRef(nonce);

  useEffect(() => {
    if (nonce) {
      nonceRef.current = nonce;
    }
  }, [nonce]);
  
  // use nonceRef.current everywhere
}

In my example _app I even loaded that nonce value into a React Context Provider so that downstream components could make use of it. Not required, but if you find yourself having to use nonce values in other components/pages, it could come in handy.

[karlhorky]

@danieltott Nice, thanks! I'll have to take a look at updating my guide to this approach with Client Context. My current approach reads the header from getServerSideProps, but maybe this does not work with <Link /> components 🤔 I should test it.

pages/index.tsx

import { GetServerSidePropsContext } from 'next';
import Script from 'next/script';

type Props = { nonce: string };

export default function Page({ nonce }: Props) {
  return (
    <>
      <div>Home page</div>

      <Script
        src="https://www.google.com/recaptcha/api.js?render=explicit"
        strategy="afterInteractive"
        nonce={nonce}
      />
    </>
  );
}

export async function getServerSideProps(context: GetServerSidePropsContext) {
  return {
    props: {
      // x-nonce header set in middleware.ts
      nonce: context.req.headers['x-nonce'],
    },
  };
}

[danieltott]

@karlhorky this would work fine assuming the page you're linking to also has the same setup - getServerSideProps always runs on the server

[karlhorky]

Ok that makes sense, then my example is fine hehe, tricked myself that it was going to have a problem.

[salazarm]

I'm incrementally migrating to Next.js and for now we're using the static export. Can I use middleware to put a placeholder nonce for our python webserver to fill in when serving the html?

[danieltott]

If you have something that can modify html on the server before it's served, you can do pretty much anything. Unfortunately you won't be able to make the Next server aware of it though, since the static export doesn't employ middleware, and static pages on a typical build will have pre-compiled the <script> tags without middleware having been run. Middleware doesn't get run at all during builds traditional builds. Furthermore, there is just no way to set headers when doing static exports.

Since we can't provide headers for the static export, there's no way to tell Next that the nonce value exists when building the pages. This pretty much rules out the nonce approach.

However, you might be able to do something else: hash values. Here's what this would involve:

• After build, run a script that finds all the js files in the out directory, and calculates the hashes (this can be done right after build, since those values will never change):

  # code generated by AI (I'm not a python person)
  import os
  import hashlib
  
  def get_file_hashes(directory):
    file_hashes = []
    for root, dirs, files in os.walk(directory):
      for file in files:
        if file.endswith('.js'):
          file_path = os.path.join(root, file)
          with open(file_path, 'rb') as f:
            file_contents = f.read()
            file_hash = hashlib.sha256(file_contents).hexdigest()
            file_hashes.append(file_hash)
    return file_hashes
  
  directory = '/path/to/directory'
  file_hashes = get_file_hashes(directory)

• Have python insert a csp header with those hash values:

  default-src
    'self';
  script-src
    'self'
    'strict-dynamic'
    'sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='
    'sha256-more'
    'sha256-hashes'
    'sha256-one-for-each-file';
  child-src
    example.com;
  style-src
    'self'
    example.com;
  font-src
    'self';
  

  Note - line breaks and extra spaces added for clarity, be sure to remove those.

This should allow you to run a solid CSP. With strict-dynamic enabled, this theoretically will work, at least as well as the nonce approach.

If you have inline scripts for third-party scripts that won't be included in the build (<Script src="https://some.domain/script.js" nonce="TEMP_NONCE_VALUE" />) in your first-party React code, you could do what you suggest and have Python replace those nonce values:

• Have python generate a nonce:

  import secrets
  nonce_value = secrets.token_hex(16)

• Insert it into the CSP header:

  default-src
    'self';
  script-src
    'self'
    'strict-dynamic'
    'nonce-{nonce_value}'
    'sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='
    'sha256-more'
    'sha256-hashes'
    'sha256-one-for-each-file';
  child-src
    example.com;
  style-src
    'self'
    example.com;
  font-src
    'self';
  

  Note - line breaks and extra spaces added for clarity, be sure to remove those.
• Then find and replace TEMP_NONCE_VALUE with nonce_value for any files served that were generated by Next (not just the html):

  filedata.replace('TEMP_NONCE_VALUE', nonce_value)

Just note that with the nonce approach, a new nonce needs to be generated with every request, so the find/replace needs to happen dynamically at request time.

The reason you can't do this with the scripts generated by Next is that they usually don't just live in html so you can't just search for '<script ', and there's no way to add attributes to them. This was possible in the Pages router (<NextScript nonce="TEMP_NONCE_VALUE" />), but not the App router.

[salazarm]

I ended up using <Head nonce="NONCE-PLACEHOLDER"> in my _document.tsx and it attached the attribute to all of the scripts in the generated HTML which my python webserver was able to fill in =)

[danieltott]

Ah yes - all of this is a bit easier in the Pages router. I would add it to <NextScript> as well in that case.

[leerob]

Hey folks, wanted to swing back here with an update. After digging through many different issues and discussions, I've made a new page in the documentation (PR) specifically for Content Security Policy and nonces. This docs page:

• Explains how to generate a nonce with Middleware
• Shows how to consume the nonce in a route with headers()
• Shows a complete CSP without needing to use any unsafe
• Shows how to ignore the nonce Middleware from running on prefetches / static assets

Further, we've patched some bugs and made improvements to nonce handling in Next.js that will be available in the latest canary version (for those of you time traveling from the future, upgrade to Next.js 13.5). We also updated the with-strict-csp example in the examples/ folder, which is backlinked from the new documentation page.

Really hope this helps out, thank you all 🙏 I'll be closing this discussion out. To continue the discussion, please go here.