fix(security): consolidate proxy to a single src/proxy.ts (CSRF + CSP) #53
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "claude/gracious-bell-5c5b3c"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What
Next.js 16 registers the proxy only from the
src/proxy.tsconvention slot (sibling ofsrc/app) via a namedexport proxy. At HEAD the repo had two proxy files:proxy.ts—export default, with CSRF + CSP + security headers + auth redirectssrc/proxy.ts— namedexport proxy, iron-session auth onlyWhy this was a trap
Verified empirically (
next devand the productionstandaloneserver) which proxy actually executes at runtime:proxy.tsonly (default or named)src/proxy.tsonly (named)At HEAD the root file's secure code ran only because
src/proxy.tsexisted to register the convention slot. Deleting either file as "dead code" would have silently disabled all CSRF/CSP/security headers app-wide.Change
src/proxy.tsas a namedexport proxy(the canonical Next 16 location for asrc/appproject).proxy.tsand rootproxy.test.ts.src/proxy.test.ts: CSRF 403, CSP present, valid-token pass-through.src/lib/csrf.tsdocs atsrc/proxy.ts.Verification
npm run build→ green,ƒ Proxy (Middleware)registered.npm test→ 249 tests, 229 pass, 20 fail — all pre-existing DBECONNREFUSED(no local Postgres), identical to baseline. No new failures.POST /api/readywithoutx-csrf-token→403 {"error":"CSRF validation failed"}POST /api/readywith matching csrf cookie+header → not 403GET /without session →307 → /loginGET /login→ CSP +X-Frame-Options: DENY+X-Content-Type-Options: nosniff+Referrer-Policy+set-cookie: csrf_token=…; Secure🤖 Generated with Claude Code