Next.jsSecurityWeb Development

Implementing Content Security Policy in a Next.js App

Published on May 12, 2026

Introduction

Content Security Policy (CSP) is a powerful security feature that helps protect web applications from cross-site scripting (XSS) attacks. By defining which sources of content are allowed to be executed within a web page, CSP can effectively prevent malicious scripts from running and stealing sensitive user data. In this article, we'll explore how to implement a Content Security Policy in a Next.js application, ensuring the security and integrity of your users' data.

Understanding Content Security Policy

Before we dive into the implementation, let's take a brief look at how CSP works. A Content Security Policy is defined by a set of directives that specify which sources of content are allowed to be executed within a web page. These directives are communicated to the browser through the Content-Security-Policy HTTP header or the <meta> tag.

Some common CSP directives include:

default-src: Defines the default policy for fetching resources such as scripts, styles, and images.
script-src: Specifies which sources of scripts are allowed to be executed.
style-src: Specifies which sources of styles are allowed to be applied.
object-src: Specifies which sources of plugins are allowed to be loaded.

Implementing CSP in Next.js

To implement a Content Security Policy in a Next.js application, you'll need to configure the next.config.js file to include the headers property. This property allows you to define custom HTTP headers that will be included in the response to every request.

Here's an example of how you might configure the next.config.js file to include a basic CSP:

module.exports = {
  //... other configurations ...
  async headers() {
    return [
      {
        source: '/:path*',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: `
              default-src 'self';
              script-src 'self' https://cdn.jsdelivr.net;
              style-src 'self' https://fonts.googleapis.com;
              object-src 'none';
            `,
          },
        ],
      },
    ];
  },
};

In this example, we're defining a basic CSP that allows scripts to be loaded from the same origin ('self') and from https://cdn.jsdelivr.net. We're also allowing styles to be loaded from the same origin and from https://fonts.googleapis.com. Finally, we're disallowing the loading of any plugins by setting object-src to 'none'.

Handling Inline Scripts and Styles

One common challenge when implementing a Content Security Policy is handling inline scripts and styles. By default, CSP will block any inline scripts or styles, which can cause issues with certain libraries or frameworks that rely on these types of scripts.

To handle inline scripts and styles, you can use the unsafe-inline directive. However, be aware that using this directive can introduce security risks, as it allows any inline script or style to be executed.

Here's an example of how you might modify the previous CSP to allow inline scripts and styles:

module.exports = {
  //... other configurations ...
  async headers() {
    return [
      {
        source: '/:path*',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: `
              default-src 'self';
              script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline';
              style-src 'self' https://fonts.googleapis.com 'unsafe-inline';
              object-src 'none';
            `,
          },
        ],
      },
    ];
  },
};

Using Nonces for Inline Scripts

Another approach to handling inline scripts is to use nonces. A nonce is a unique token that is generated for each request and is included in the CSP directive. This allows you to specify which inline scripts are allowed to be executed, while still maintaining the security benefits of CSP.

To use nonces in a Next.js application, you'll need to generate a unique token for each request and include it in the CSP directive. You can use a library like crypto to generate the nonce.

Here's an example of how you might modify the previous CSP to use nonces:

const crypto = require('crypto');

module.exports = {
  //... other configurations ...
  async headers() {
    const nonce = crypto.randomBytes(16).toString('base64');
    return [
      {
        source: '/:path*',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: `
              default-src 'self';
              script-src 'self' https://cdn.jsdelivr.net 'nonce-${nonce}';
              style-src 'self' https://fonts.googleapis.com;
              object-src 'none';
            `,
          },
        ],
      },
    ];
  },
};

You'll also need to include the nonce in any inline scripts that you want to allow:

<script nonce="{{ nonce }}">
  // inline script code here
</script>

Conclusion

Implementing a Content Security Policy in a Next.js application is an effective way to protect your users' data from cross-site scripting (XSS) attacks. By defining a robust CSP that specifies which sources of content are allowed to be executed, you can ensure the security and integrity of your application. Remember to handle inline scripts and styles carefully, and consider using nonces to specify which inline scripts are allowed to be executed. With a well-configured CSP, you can provide a safer and more secure experience for your users.

Back to Insights