Log in
React Conferences
React Summit US 2023React Summit US 2023
Talk Videos
Top
EN

Video: Content Security Policy with Next.js: Leveling Up your Website's Security

Lucas Estevão
Lucas Estevão
Technical Manager and Principal UI Engineer.
Rate this content
Bookmark
Project website
Read FAQ and transcription
react 18next.jssecurity
Video Summary and Transcription
The video discusses the importance of implementing a Content Security Policy (CSP) in Next.js applications to enhance website security. CSP acts as a security layer to protect against cross-site scripting (XSS) and data injection attacks by restricting browser functionality. Adding a CSP can be done using HTTP headers or a meta tag in the head section. The talk also highlights using middleware for more specific conditions. The concept of 'nonce' is explained as a unique token that allows specific inline scripts to run safely without compromising the security policy. Tools like Google's CSP Evaluator and Mozilla Observatory can be used to validate and improve CSPs. The talk emphasizes the flexibility of CSP, allowing developers to tailor it to different environments, such as having a more relaxed policy during development and a stricter one in production. Additionally, CSP reports can be generated to identify potential issues and improve application security. The video is a valuable resource for developers interested in topics like nextjs csp, nextjs content security policy, csp nextjs, next js csp, and content security policy nextjs.

This talk has been presented at React Summit US 2023, check out the latest edition of this React Conference.

Available in Español: Política de Seguridad de Contenido con Next.js: Mejorando la Seguridad de tu Sitio Web

FAQ

Yes, a Content Security Policy can be tailored to be environment-specific. For instance, in a development environment, a CSP can be more relaxed to facilitate testing, while in production, it can be made stricter to provide enhanced security against attacks.

Examples of policy directives in a CSP include specifying default sources of content, such as limiting sources to your own domain, and adding exceptions, like allowing Google web fonts to be downloaded. These directives help control where content can be loaded from, enhancing security.

To validate a CSP for a Next.js application, you can use tools like Google's CSP Evaluator or Mozilla Observatory. These tools analyze the CSP and provide reports on potential improvements or issues, helping ensure the policy effectively secures the application.

A Content Security Policy (CSP) is a security layer that helps shield applications from threats like cross-site scripting (XSS) and data injection attacks by restricting browser functionality. It defines a list of policy directives that limit what the browser is allowed to execute, enhancing the security of web applications.

You can find examples and detailed documentation on implementing Content Security Policies in Next.js on the official Next.js documentation website. Additionally, sample applications implementing CSP can often be found on repositories like GitHub.

A 'nonce' is a one-time token used in a CSP to allow specific inline scripts or styles to execute while maintaining overall policy compliance. This is useful when you need to run inline scripts safely, as each script must include the unique nonce value to execute.

In a Next.js app, a CSP prevents unauthorized content by enforcing rules that restrict external content sources. For example, if a CSP only allows content from the app's own domain, any attempt to load an image from a different domain would be blocked unless explicitly allowed in the CSP.

To implement a Content Security Policy in a Next.js application, you can add a CSP directly in the HTML using a meta tag in the head section or more securely through HTTP headers. The Next.js documentation provides detailed options on how to add different headers, including CSP, to your application configuration.

Video transcription and chapters available for users with access.
Available in other languages:

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Routing in React 18 and Beyond
React Summit 2022React Summit 2022
20 min
Routing in React 18 and Beyond
Top Content
Delba de Oliveira
Delba de Oliveira
Senior Developer Advocate @ Vercel
Routing in React 18 brings a native app-like user experience and allows applications to transition between different environments. React Router and Next.js have different approaches to routing, with React Router using component-based routing and Next.js using file system-based routing. React server components provide the primitives to address the disadvantages of multipage applications while maintaining the same user experience. Improving navigation and routing in React involves including loading UI, pre-rendering parts of the screen, and using server components for more performant experiences. Next.js and Remix are moving towards a converging solution by combining component-based routing with file system routing.
next.jspatternsreactreact file based routing
React Concurrency, Explained
React Summit 2023React Summit 2023
23 min
React Concurrency, Explained
Top Content
Watch video: React Concurrency, Explained
Ivan Akulov
Ivan Akulov
Google Developer Expert, Web Performance Consultant, Netherlands
React 18's concurrent rendering, specifically the useTransition hook, optimizes app performance by allowing non-urgent updates to be processed without freezing the UI. However, there are drawbacks such as longer processing time for non-urgent updates and increased CPU usage. The useTransition hook works similarly to throttling or bouncing, making it useful for addressing performance issues caused by multiple small components. Libraries like React Query may require the use of alternative APIs to handle urgent and non-urgent updates effectively.
react 18reactperformancereact concurrent modedeep divebest practices
Understanding React’s Fiber Architecture
React Advanced 2022React Advanced 2022
29 min
Understanding React’s Fiber Architecture
Top Content
Tejas Kumar
Tejas Kumar
Author of the "Fluent React" bestselling book, software engineer with 23 years of experience, and host of the developer-loved ConTejas Code podcast.
This Talk explores React's internal jargon, specifically fiber, which is an internal unit of work for rendering and committing. Fibers facilitate efficient updates to elements and play a crucial role in the reconciliation process. The work loop, complete work, and commit phase are essential steps in the rendering process. Understanding React's internals can help with optimizing code and pull request reviews. React 18 introduces the work loop sync and async functions for concurrent features and prioritization. Fiber brings benefits like async rendering and the ability to discard work-in-progress trees, improving user experience.
react 18reactconcurrent renderingarchitecturereact fiberreact reconciliationbeginner friendly
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
Feross Aboukhadijeh
Feross Aboukhadijeh
Feross is the author and maintainer of WebTorrent, StandardJS, and 100s of other open source projects
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
node.jssecurity
A Practical Guide for Migrating to Server Components
React Advanced 2023React Advanced 2023
28 min
A Practical Guide for Migrating to Server Components
Top Content
Watch video: A Practical Guide for Migrating to Server Components
Fredrik Höglund
Fredrik Höglund
ephem.dev
React query version five is live and we'll be discussing the migration process to server components using Next.js and React Query. The process involves planning, preparing, and setting up server components, migrating pages, adding layouts, and moving components to the server. We'll also explore the benefits of server components such as reducing JavaScript shipping, enabling powerful caching, and leveraging the features of the app router. Additionally, we'll cover topics like handling authentication, rendering in server components, and the impact on server load and costs.
react queryreact 18next.jsreactreact server componentscase study
Server Components: The Epic Tale of Rendering UX
React Summit 2023React Summit 2023
26 min
Server Components: The Epic Tale of Rendering UX
Top Content
Watch video: Server Components: The Epic Tale of Rendering UX
Nikhil Sharma
Nikhil Sharma
Postman
This Talk introduces server components in React, which provide an intermediate format for rendering and offer advantages for both client-side and server-side rendering. Server components reduce bundle size on the client and improve search engine optimization. They abstract the rendering process, allowing for faster rendering and flexibility in choosing where to render components. While server components are still in the experimental stage, Next.js is a good starting point to try them out.
react 18reactreact server componentsperformancessr

Workshops on related topic

Concurrent Rendering Adventures in React 18
React Advanced 2021React Advanced 2021
132 min
Concurrent Rendering Adventures in React 18
Top Content
Featured WorkshopFree
Maurice de Beijer
Maurice de Beijer
With the release of React 18 we finally get the long awaited concurrent rendering. But how is that going to affect your application? What are the benefits of concurrent rendering in React? What do you need to do to switch to concurrent rendering when you upgrade to React 18? And what if you don’t want or can’t use concurrent rendering yet?

There are some behavior changes you need to be aware of! In this workshop we will cover all of those subjects and more.

Join me with your laptop in this interactive workshop. You will see how easy it is to switch to concurrent rendering in your React application. You will learn all about concurrent rendering, SuspenseList, the startTransition API and more.
react 18reactconcurrent renderingreact concurrent modereact suspense
AI for React Developers
React Advanced 2024React Advanced 2024
142 min
AI for React Developers
Featured Workshop
Eve Porcello
Eve Porcello
Knowledge of AI tooling is critical for future-proofing the careers of React developers, and the Vercel suite of AI tools is an approachable on-ramp. In this course, we’ll take a closer look at the Vercel AI SDK and how this can help React developers build streaming interfaces with JavaScript and Next.js. We’ll also incorporate additional 3rd party APIs to build and deploy a music visualization app.
Topics:- Creating a React Project with Next.js- Choosing a LLM- Customizing Streaming Interfaces- Building Routes- Creating and Generating Components - Using Hooks (useChat, useCompletion, useActions, etc)
artificial intelligencenext.jsreact
Getting Started with Suspense and Concurrent Rendering in React
React Summit 2020React Summit 2020
125 min
Getting Started with Suspense and Concurrent Rendering in React
Featured Workshop
Maurice de Beijer
Maurice de Beijer
React keeps on evolving and making hard things easier for the average developer.
One case, where React was not particularly hard but very repetitive, is working with AJAX request. There is always the trinity of loading, success and possible error states that had to be handled each time. But no more as the `<Suspense />` component makes life much easier.
Another case is performance of larger and complex applications. Usually React is fast enough but with a large application rendering components can conflict with user interactions. Concurrent rendering will, mostly automatically, take care of this.
You will learn all about using <Suspense />, showing loading indicators and handling errors. You will see how easy it is to get started with concurrent rendering. You will make suspense even more capable combining it with concurrent rendering, the `useTransition()` hook and the <SuspenseList /> component.
react 18reactconcurrent renderingreact concurrent modereact suspense
Tracing: Frontend Issues With Backend Solutions
React Summit US 2024React Summit US 2024
112 min
Tracing: Frontend Issues With Backend Solutions
Featured WorkshopFree
Lazar Nikolov
Sarah Guthals
2 authors
Frontend issues that affect your users are often triggered by backend problems. In this workshop, you’ll learn how to identify issues causing slow web pages and poor Core Web Vitals using tracing.
Then, try it for yourself by setting up Sentry in a ready-made Next.js project to discover performance issues including slow database queries in an interactive pair-programming session.
You’ll leave the workshop being able to:- Find backend issues that might be slowing down your frontend apps- Setup tracing with Sentry in a Next.js project- Debug and fix poor performance issues using tracing
This will be a live 2-hour event where you’ll have the opportunity to code along with us and ask us questions.
next.jsdebug
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
JSNation US 2024JSNation US 2024
148 min
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
Featured Workshop
Gregor Biswanger
Gregor Biswanger
In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.
security testingsecurity
Build a Headless WordPress App with Next.js and WPGraphQL
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
Top Content
WorkshopFree
Kellen Mace
Kellen Mace
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.
next.jswordpressgraphql