@djangocfg/nextjs 2.1.427 → 2.1.429

package/README.md

@@ -27,6 +27,8 @@
 - **i18n** — full next-intl integration with routing, middleware, and components
 - **PWA** — zero-config service worker and manifest
 - **Base Next.js Config** — reusable `createBaseNextConfig()` factory for monorepos
+- **Security headers + CSP** — baseline Content-Security-Policy and hardening headers on every route, dev-aware (see below)
+- **DPoP auth** — one-flag opt-in to RFC 9449 sender-constrained tokens (`dpop: true`) — see [`@docs/DPOP.md`](./@docs/DPOP.md)
 - **Sitemap** — paginated sitemap-index backed by `django_cfg.modules.django_sitemap` (handles 2M+ URLs)
 - **Health Checks** — production-ready health monitoring endpoints
 - **Navigation** — route definitions, menu generation, and active-state helpers
@@ -112,6 +114,37 @@ export default withBundleAnalyzer(createBaseNextConfig({
 }));
 ```
 
+### Security headers & CSP
+
+`createBaseNextConfig()` adds baseline security headers to **every route** out of
+the box — no setup required:
+
+- `Content-Security-Policy` — a pragmatic baseline that blocks the high-value
+  injection vectors (`object-src 'none'`, `base-uri 'self'`, `form-action 'self'`,
+  `frame-ancestors`) while keeping the inline/eval scripts a Next.js app needs.
+  **Dev-aware:** `connect-src`/`img-src` allow `http:`/`ws:` in development (local
+  Django/Centrifugo) and tighten to `https:`/`wss:` only in production.
+- `X-Content-Type-Options: nosniff`, `Referrer-Policy: strict-origin-when-cross-origin`
+- `X-Frame-Options: DENY` (or `SAMEORIGIN` when `allowIframeFrom` is set)
+
+A fully strict nonce-based `script-src` is a planned follow-up (needs middleware +
+per-request nonce). To allow iframe embedding, pass `allowIframeFrom: ['https://example.com']`.
+
+### DPoP — sender-constrained tokens (RFC 9449)
+
+Make a stolen access token useless, **without a BFF/proxy** — opt in with one flag:
+
+```tsx
+export default createBaseNextConfig({
+  dpop: true, // inlines NEXT_PUBLIC_DPOP_ENABLED='true'
+});
+```
+
+The browser holds a non-extractable key and signs a per-request `DPoP` proof; the
+backend binds the token to that key (`cnf.jkt`) and rejects replays. Requires
+`JWTConfig(dpop_enabled=True)` on the Django side. Full guide:
+[`@docs/DPOP.md`](./@docs/DPOP.md).
+
 ### PWA (Progressive Web App)
 
 **Zero-config PWA** - Works out of the box! Service worker and offline support included automatically.

package/dist/config/index.d.mts

@@ -50,6 +50,15 @@ interface BaseNextConfigOptions {
      * Set to ['*'] to allow all origins, or specify domains like ['https://djangocfg.com']
      */
     allowIframeFrom?: string[];
+    /**
+     * Enable DPoP (RFC 9449) sender-constrained tokens on the generated API
+     * client. When true, the client holds a non-extractable key and signs a
+     * per-request `DPoP` proof so a stolen token is useless. Must be paired with
+     * `jwt = JWTConfig(dpop_enabled=True)` on the Django backend. Default: false.
+     *
+     * Inlines `NEXT_PUBLIC_DPOP_ENABLED='true'` so the generated auth.ts activates.
+     */
+    dpop?: boolean;
     /**
      * PWA configuration options
      * Set to false to disable PWA, or provide custom options
@@ -103,9 +112,9 @@ declare function createBaseNextConfig(options?: BaseNextConfigOptions): NextConf
  */
 declare const PACKAGE_NAME = "@djangocfg/nextjs";
 declare const DJANGO_CFG_BANNER = "\n\u2588\u2588\u2588\u2588\u2588\u2588\u2557      \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557   \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557      \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557\n\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557     \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557    \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\n\u2588\u2588\u2551  \u2588\u2588\u2551     \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551  \u2588\u2588\u2588\u2557\u2588\u2588\u2551   \u2588\u2588\u2551    \u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551  \u2588\u2588\u2588\u2557\n\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588   \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551    \u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u255D  \u2588\u2588\u2551   \u2588\u2588\u2551\n\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u255A\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u2588\u2588\u2551  \u2588\u2588\u2551\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D    \u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551     \u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255D\n\u255A\u2550\u2550\u2550\u2550\u2550\u255D  \u255A\u2550\u2550\u2550\u2550\u255D \u255A\u2550\u255D  \u255A\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D  \u255A\u2550\u2550\u2550\u2550\u2550\u255D      \u255A\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D      \u255A\u2550\u2550\u2550\u2550\u2550\u255D\n";
-declare const DJANGOCFG_PACKAGES: readonly ["@djangocfg/ui-core", "@djangocfg/ui-nextjs", "@djangocfg/layouts", "@djangocfg/nextjs", "@djangocfg/api", "@djangocfg/centrifugo", "@djangocfg/eslint-config", "@djangocfg/typescript-config"];
-declare const DEFAULT_TRANSPILE_PACKAGES: readonly ["@djangocfg/i18n", "@djangocfg/ui-core", "@djangocfg/ui-nextjs", "@djangocfg/layouts", "@djangocfg/ui-tools", "@djangocfg/api", "@djangocfg/centrifugo", "@djangocfg/debuger", "@djangocfg/monitor", "@djangocfg/ext-support", "@djangocfg/ext-payments"];
-declare const DEFAULT_OPTIMIZE_PACKAGES: readonly ["@djangocfg/ui-core", "@djangocfg/ui-nextjs", "@djangocfg/layouts", "lucide-react", "recharts"];
+declare const DJANGOCFG_PACKAGES: readonly ["@djangocfg/ui-core", "@djangocfg/layouts", "@djangocfg/nextjs", "@djangocfg/api", "@djangocfg/centrifugo", "@djangocfg/eslint-config", "@djangocfg/typescript-config"];
+declare const DEFAULT_TRANSPILE_PACKAGES: readonly ["@djangocfg/i18n", "@djangocfg/ui-core", "@djangocfg/layouts", "@djangocfg/ui-tools", "@djangocfg/api", "@djangocfg/centrifugo", "@djangocfg/debuger", "@djangocfg/monitor"];
+declare const DEFAULT_OPTIMIZE_PACKAGES: readonly ["@djangocfg/ui-core", "@djangocfg/layouts", "lucide-react", "recharts"];
 
 /**
  * Deep Merge Utility

package/dist/config/index.mjs

@@ -14,7 +14,7 @@ var require_package = __commonJS({
   "package.json"(exports, module) {
     module.exports = {
       name: "@djangocfg/nextjs",
-      version: "2.1.427",
+      version: "2.1.429",
       description: "Next.js server utilities: sitemap, health, OG images, contact forms, navigation, config",
       keywords: [
         "nextjs",
@@ -263,7 +263,6 @@ var DJANGO_CFG_BANNER = `
 `;
 var DJANGOCFG_PACKAGES = [
   "@djangocfg/ui-core",
-  "@djangocfg/ui-nextjs",
   "@djangocfg/layouts",
   "@djangocfg/nextjs",
   "@djangocfg/api",
@@ -274,20 +273,15 @@ var DJANGOCFG_PACKAGES = [
 var DEFAULT_TRANSPILE_PACKAGES = [
   "@djangocfg/i18n",
   "@djangocfg/ui-core",
-  "@djangocfg/ui-nextjs",
   "@djangocfg/layouts",
   "@djangocfg/ui-tools",
   "@djangocfg/api",
   "@djangocfg/centrifugo",
   "@djangocfg/debuger",
-  "@djangocfg/monitor",
-  // Extensions (for source imports without build)
-  "@djangocfg/ext-support",
-  "@djangocfg/ext-payments"
+  "@djangocfg/monitor"
 ];
 var DEFAULT_OPTIMIZE_PACKAGES = [
   "@djangocfg/ui-core",
-  "@djangocfg/ui-nextjs",
   "@djangocfg/layouts",
   "lucide-react",
   "recharts"
@@ -1353,6 +1347,10 @@ function createBaseNextConfig(options = {}) {
   const baseConfig = {
     reactStrictMode: true,
     trailingSlash: true,
+    // Dev indicator position — set explicitly so it's managed from one place
+    // across every @djangocfg app. Apps can override via `devIndicators` in
+    // their options (deep-merged over this). Kept bottom-left for now.
+    devIndicators: { position: "bottom-left" },
     // Static export configuration
     ...isStaticBuild && {
       output: "export",
@@ -1372,6 +1370,9 @@ function createBaseNextConfig(options = {}) {
       NEXT_PUBLIC_BASE_PATH: basePath,
       NEXT_PUBLIC_API_URL: apiUrl,
       NEXT_PUBLIC_SITE_URL: siteUrl,
+      // DPoP toggle for the generated auth client (RFC 9449). Only inlined when
+      // explicitly enabled, so non-DPoP apps stay on the plain Bearer path.
+      ...options.dpop ? { NEXT_PUBLIC_DPOP_ENABLED: "true" } : {},
       // Disable Next.js telemetry (Next.js 15+ uses env var instead of config option)
       NEXT_TELEMETRY_DISABLED: "1",
       ...options.env
@@ -1392,19 +1393,35 @@ function createBaseNextConfig(options = {}) {
           ]
         }
       ];
-      if (options.allowIframeFrom && options.allowIframeFrom.length > 0) {
-        const frameAncestors = options.allowIframeFrom.includes("*") ? "*" : `'self' ${options.allowIframeFrom.join(" ")}`;
-        headers.push({
-          source: "/:path*",
-          headers: [
-            // Content-Security-Policy frame-ancestors directive
-            { key: "Content-Security-Policy", value: `frame-ancestors ${frameAncestors}` },
-            // X-Frame-Options for older browsers (ALLOW-FROM is deprecated, use CSP instead)
-            // Only set SAMEORIGIN if allowing all, otherwise browsers will use CSP
-            ...options.allowIframeFrom.includes("*") ? [] : [{ key: "X-Frame-Options", value: "SAMEORIGIN" }]
-          ]
-        });
-      }
+      const hasIframeAllowlist = !!options.allowIframeFrom && options.allowIframeFrom.length > 0;
+      const frameAncestors = hasIframeAllowlist ? options.allowIframeFrom.includes("*") ? "*" : `'self' ${options.allowIframeFrom.join(" ")}` : "'none'";
+      const connectSrc = isDev ? "connect-src 'self' http: https: ws: wss:" : "connect-src 'self' https: wss:";
+      const imgSrc = isDev ? "img-src 'self' data: blob: http: https:" : "img-src 'self' data: blob: https:";
+      const cspDirectives = [
+        "default-src 'self'",
+        // Next.js requires inline + eval for its runtime/HMR. Tighten to nonces later.
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+        "style-src 'self' 'unsafe-inline'",
+        imgSrc,
+        "font-src 'self' data:",
+        // API/websocket calls go cross-origin to Django/Centrifugo.
+        connectSrc,
+        "object-src 'none'",
+        "base-uri 'self'",
+        "form-action 'self'",
+        `frame-ancestors ${frameAncestors}`
+      ];
+      headers.push({
+        source: "/:path*",
+        headers: [
+          { key: "X-Content-Type-Options", value: "nosniff" },
+          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
+          { key: "Content-Security-Policy", value: cspDirectives.join("; ") },
+          // X-Frame-Options for older browsers. Omitted when a wildcard iframe
+          // allowlist is set (browsers then rely on CSP frame-ancestors).
+          ...hasIframeAllowlist && options.allowIframeFrom.includes("*") ? [] : [{ key: "X-Frame-Options", value: hasIframeAllowlist ? "SAMEORIGIN" : "DENY" }]
+        ]
+      });
       const userHeaders = options.headers ? await options.headers() : [];
       return [...headers, ...userHeaders];
     },
@@ -1506,6 +1523,7 @@ function createBaseNextConfig(options = {}) {
     checkPackages: checkPackages2,
     autoInstall,
     allowIframeFrom,
+    dpop,
     ...nextConfigOptions
   } = options;
   let finalConfig = deepMerge(baseConfig, nextConfigOptions);