Security
🔐 Security Headers
The standard starter includes a set of security headers by default in app/headers.ts. These help protect against common attacks like cross-site scripting (XSS), clickjacking, and data injection.
3 collapsed lines
import { RouteMiddleware } from "@redwoodjs/sdk/router";import { IS_DEV } from "@redwoodjs/sdk/constants";
export const setCommonHeaders = (): RouteMiddleware => ({ headers, rw: { nonce } }) => { if (!IS_DEV) { // Forces browsers to always use HTTPS for a specified time period (2 years) headers.set( "Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload", ); }
// Forces browser to use the declared content-type instead of trying to guess/sniff it headers.set("X-Content-Type-Options", "nosniff");
// Stops browsers from sending the referring webpage URL in HTTP headers headers.set("Referrer-Policy", "no-referrer");
// Explicitly disables access to specific browser features/APIs headers.set( "Permissions-Policy", "geolocation=(), microphone=(), camera=()", );
// Defines trusted sources for content loading and script execution: headers.set( "Content-Security-Policy", `default-src 'self'; script-src 'self' 'nonce-${nonce}' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; object-src 'none';`, ); };Changing CSP (Content Security Policy) headers
Sometimes you need to allow additional resources or modify the Content Security Policy (CSP) to accommodate third-party scripts, styles, or other assets. The CSP headers control what resources can be loaded and executed by your application.
Adding trusted domains
The default CSP in the starter focuses on the most critical security aspects. For many applications, this provides a good balance between security and functionality. When you need to integrate third-party resources, you can extend it like this:
// In app/headers.tsheaders.set( "Content-Security-Policy", `default-src 'self'; script-src 'self' 'nonce-${nonce}' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; object-src 'none';`, `default-src 'self'; script-src 'self' 'nonce-${nonce}' https://challenges.cloudflare.com https://trusted-scripts.example.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; img-src 'self' https://images.example.com; object-src 'none';`,);Using nonce for inline scripts
Sometimes you need to include inline scripts in your application, but Content Security Policy (CSP) blocks them by default for security reasons. RedwoodSDK automatically generates a fresh, cryptographically secure nonce value for each request You can access this nonce in document or page components rendered by the router, using rw.nonce.
export const Document = ({ rw, children }) => ( <html lang="en"> <head><!-- ... --></head> <body> <div id="root">{children}</div>
<!-- Set the nonce the inline script --> <script nonce={row.nonce}>/* ... */</script> </body> </html>);
export default defineApp<AppContext>([ // ... render(Document, [ // ... ]),]);Lifting device permission restrictions
Sometimes you need to allow your web application to access device features like the camera, microphone, or geolocation. These permissions are controlled by the Permissions-Policy header.
By default, the standard starter includes restrictive permissions settings for security reasons.
To enable device access, you’ll need to modify the Permissions-Policy header in your app/headers.ts file:
// In app/headers.tsheaders.set( "Permissions-Policy", "geolocation=(), microphone=(), camera=()", "geolocation=self, microphone=self, camera=self");The self keyword allows the feature to be used only by your own domain.
For a complete reference, see the MDN Permissions Policy documentation.