From f1def32cc3551d8f452257689a34c6895fff7478 Mon Sep 17 00:00:00 2001
From: Gandalf <gandalf@storm.pl>
Date: Wed, 31 Dec 2025 00:16:39 +0100
Subject: [PATCH 1/2] feat: Add nonce-based CSP implementation (WIP)

DRAFT: This is a work-in-progress implementation of nonce-based CSP.

Implements:
- Nonce generation in middleware using crypto.randomUUID()
- CSP header with nonce for script-src and style-src
- 'strict-dynamic' to allow scripts loaded by nonced scripts
- Nonce passed to layout via x-nonce header
- Script components use nonce prop

Still needs:
- Wallet app implementation
- Testing with all Script components in the app
- Testing with third-party scripts (Twitter embeds, etc.)
- Verification that HBAuth/Beekeeper WASM still works
- Hive Keychain compatibility testing
- Comprehensive testing before switching from Report-Only to enforcing

This provides ~95% XSS protection vs ~40% with unsafe-inline.
---
 apps/blog/app/layout.tsx | 16 ++++++++++--
 apps/blog/middleware.ts  | 56 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/apps/blog/app/layout.tsx b/apps/blog/app/layout.tsx
index 9575e635a..66710cba7 100644
--- a/apps/blog/app/layout.tsx
+++ b/apps/blog/app/layout.tsx
@@ -2,7 +2,7 @@ import '@hive/tailwindcss-config/globals.css';
 import { ReactNode } from 'react';
 import Script from 'next/script';
 import { Metadata } from 'next';
-import { cookies } from 'next/headers';
+import { cookies, headers } from 'next/headers';
 import MainBar from '../features/layouts/site-header/main-bar';
 import ClientEffects from '../features/layouts/site-header/client-effects';
 import { Providers } from '../features/layouts/providers';
@@ -11,6 +11,15 @@ import VisitLoggerClient from '../lib/visit-logger-client';
 // Get basePath from build-time environment
 const basePath = process.env.NEXT_PUBLIC_BASE_PATH || '';
 
+/**
+ * Get the CSP nonce from the request headers.
+ * The nonce is generated in middleware and passed via x-nonce header.
+ */
+function getNonce(): string {
+  const headersList = headers();
+  return headersList.get('x-nonce') || '';
+}
+
 const SITE_DESC =
   'Communities without borders. A social network owned and operated by its users, powered by Hive.';
 
@@ -48,6 +57,9 @@ export default async function RootLayout({ children }: { children: ReactNode })
   const locale = cookieStore.get('NEXT_LOCALE')?.value || 'en';
   const isRTL = locale === 'ar';
 
+  // Get nonce for CSP-compliant script loading
+  const nonce = getNonce();
+
   return (
     <html lang={locale} dir={isRTL ? 'rtl' : 'ltr'}>
       <body className="bg-background-secondary">
@@ -60,7 +72,7 @@ export default async function RootLayout({ children }: { children: ReactNode })
             </>
           </Providers>
         </div>
-        <Script src={`${basePath}/__ENV.js`} strategy="beforeInteractive" />
+        <Script src={`${basePath}/__ENV.js`} strategy="beforeInteractive" nonce={nonce} />
         <ClientEffects />
       </body>
     </html>
diff --git a/apps/blog/middleware.ts b/apps/blog/middleware.ts
index aa3b5b4d7..f6a800439 100644
--- a/apps/blog/middleware.ts
+++ b/apps/blog/middleware.ts
@@ -1,15 +1,71 @@
 import { type NextRequest, NextResponse } from 'next/server';
 import { setLoginChallengeCookies } from '@hive/smart-signer/lib/middleware-challenge-cookies';
 
+/**
+ * Generate a cryptographically secure nonce for CSP.
+ * In production, crypto.randomUUID() is available in Edge runtime.
+ */
+function generateNonce(): string {
+  // Use crypto.randomUUID() which is available in modern Edge runtime
+  // Convert to base64 for CSP compatibility
+  const uuid = crypto.randomUUID();
+  // Use btoa-safe encoding (remove hyphens, then encode)
+  return Buffer.from(uuid.replace(/-/g, ''), 'hex').toString('base64');
+}
+
+/**
+ * Build CSP header value with nonce for script and style execution.
+ * This provides strong XSS protection while allowing legitimate inline scripts.
+ */
+function buildCspHeader(nonce: string): string {
+  return [
+    // Default fallback for unspecified resource types
+    "default-src 'self'",
+    // Scripts: only allow same-origin and nonced scripts
+    // 'strict-dynamic' allows scripts loaded by nonced scripts
+    `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' 'wasm-unsafe-eval' https://platform.twitter.com`,
+    // Styles: nonce-based (fallback to unsafe-inline for older browsers)
+    `style-src 'self' 'nonce-${nonce}' 'unsafe-inline'`,
+    // Images: self + any HTTPS + data URIs + blob
+    "img-src 'self' https: data: blob:",
+    // Fonts: self + data URIs
+    "font-src 'self' data:",
+    // API connections: permissive for user-defined endpoints
+    "connect-src 'self' https:",
+    // Embedded content whitelist
+    "frame-src https://platform.twitter.com https://www.instagram.com https://player.vimeo.com https://www.youtube.com https://w.soundcloud.com https://player.twitch.tv https://open.spotify.com https://3speak.tv https://3speak.online https://3speak.co https://emb.d.tube https://odysee.com https://openhive.chat",
+    // Web Workers
+    "worker-src 'self' blob:",
+    // Clickjacking protection
+    "frame-ancestors 'self'",
+    // Restrict base URI
+    "base-uri 'self'",
+    // Restrict form submissions
+    "form-action 'self'",
+    // Report violations
+    "report-uri /api/csp-report"
+  ].join('; ');
+}
+
 export async function middleware(request: NextRequest): Promise<NextResponse> {
   const { pathname } = request.nextUrl;
   const basePath = process.env.NEXT_PUBLIC_BASE_PATH || '';
 
+  // Generate nonce for this request
+  const nonce = generateNonce();
+
   const res = NextResponse.next();
 
   // Set login challenge cookies (needed for console logging process)
   setLoginChallengeCookies(request, res);
 
+  // Set CSP header with nonce
+  // Using Report-Only initially for safety - switch to Content-Security-Policy when ready
+  res.headers.set('Content-Security-Policy-Report-Only', buildCspHeader(nonce));
+
+  // Pass nonce to app via header (to be read in layout.tsx)
+  res.headers.set('x-nonce', nonce);
+
   // In blog, redirect root path to /trending
   if (pathname === '/' || pathname === `${basePath}` || pathname === `${basePath}/`) {
     return NextResponse.redirect(new URL(`${basePath}/trending`, request.url), { status: 302 });
-- 
GitLab


From 003444e0145d05ac6d8ee6bf1cffacaf4d1ec8fb Mon Sep 17 00:00:00 2001
From: Gandalf <gandalf@storm.pl>
Date: Wed, 31 Dec 2025 00:30:18 +0100
Subject: [PATCH 2/2] feat: Restrict connect-src to trusted Hive API nodes in
 nonce CSP

Same restriction as Phase 2 - whitelist trusted API nodes:
- https://api.hive.blog
- https://api.syncad.com
- https://api.openhive.network
- https://images.hive.blog
---
 apps/blog/middleware.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/blog/middleware.ts b/apps/blog/middleware.ts
index f6a800439..aaaf9f239 100644
--- a/apps/blog/middleware.ts
+++ b/apps/blog/middleware.ts
@@ -30,8 +30,9 @@ function buildCspHeader(nonce: string): string {
     "img-src 'self' https: data: blob:",
     // Fonts: self + data URIs
     "font-src 'self' data:",
-    // API connections: permissive for user-defined endpoints
-    "connect-src 'self' https:",
+    // API connections: whitelist of trusted Hive API nodes
+    // Only nodes running proper haf_api_node software are allowed
+    "connect-src 'self' https://api.hive.blog https://api.syncad.com https://api.openhive.network https://images.hive.blog",
     // Embedded content whitelist
     "frame-src https://platform.twitter.com https://www.instagram.com https://player.vimeo.com https://www.youtube.com https://w.soundcloud.com https://player.twitch.tv https://open.spotify.com https://3speak.tv https://3speak.online https://3speak.co https://emb.d.tube https://odysee.com https://openhive.chat",
     // Web Workers
-- 
GitLab