@webjsdev/server 0.8.9 → 0.8.10

package/index.js

@@ -1,4 +1,6 @@
 export { startServer, createRequestHandler } from './src/dev.js';
+export { assertNodeVersion, checkNodeVersion, requiredNodeMajor, parseMajor, parseRequiredMajor } from './src/node-version.js';
+export { validateEnv, formatEnvErrors, loadEnvSchema, applyEnvValidation } from './src/env-schema.js';
 export { buildRouteTable, matchPage, matchApi } from './src/router.js';
 export { ssrPage, ssrNotFound } from './src/ssr.js';
 export { handleApi } from './src/api.js';
@@ -35,6 +37,7 @@ export { scanComponents, primeComponentRegistry, extractComponents, findOrphanCo
 export { headers, cookies, getRequest, withRequest, cspNonce } from './src/context.js';
 export { defaultLogger } from './src/logger.js';
 export { rateLimit, parseWindow, clientIp, stampRemoteIp } from './src/rate-limit.js';
+export { cors, resolveOrigin, applyCorsHeaders } from './src/cors.js';
 export { memoryStore, redisStore, getStore, setStore } from './src/cache.js';
 export { cache } from './src/cache-fn.js';
 export { Session, session, cookieSessionStorage, storeSessionStorage, cookieSession, storeSession, getSession } from './src/session.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@webjsdev/server",
-  "version": "0.8.9",
+  "version": "0.8.10",
   "type": "module",
   "description": "webjs dev/prod server: SSR, router, API, server actions, live reload",
   "main": "index.js",

package/src/actions.js

@@ -6,6 +6,20 @@ import { getExposed } from '@webjsdev/core';
 import { walk } from './fs-walk.js';
 import { verify as verifyCsrf, CSRF_COOKIE, CSRF_HEADER } from './csrf.js';
 import { getSerializer } from './serializer.js';
+import { resolveOrigin } from './cors.js';
+import { readTextBounded, payloadTooLarge, DEFAULT_MAX_BODY_BYTES } from './body-limit.js';
+import { getBodyLimits } from './context.js';
+
+/**
+ * The JSON / RPC body cap in effect for the current request: the per-request
+ * limit the handler stamped, or the secure default outside a request scope (a
+ * direct unit-test invocation). `0` disables the cap.
+ * @returns {number}
+ */
+function jsonBodyLimit() {
+  const limits = getBodyLimits();
+  return limits ? limits.json : DEFAULT_MAX_BODY_BYTES;
+}
 
 /**
  * Internal RPC wire-format content type. Distinguishes webjs action
@@ -294,9 +308,13 @@ export async function invokeAction(idx, hash, fnName, req) {
   }
   const file = idx.hashToFile.get(hash);
   if (!file) return rpcResponse({ error: 'Unknown action' }, { status: 404 });
+  // Bounded read (issue #237): reject an over-limit RPC body with 413 without
+  // buffering it whole (Content-Length fast-reject, plus a streaming cap for a
+  // chunked body with no declared length).
+  const { tooLarge, text: body } = await readTextBounded(req, jsonBodyLimit());
+  if (tooLarge) return payloadTooLarge();
   let args = [];
   try {
-    const body = await req.text();
     args = body ? getSerializer().deserialize(body) : [];
     if (!Array.isArray(args)) args = [args];
   } catch {
@@ -388,11 +406,23 @@ export function withCors(resp, route, req) {
   return new Response(resp.body, { status: resp.status, statusText: resp.statusText, headers: newHeaders });
 }
 
-/** @param {string|string[]} configured @param {string} origin */
+/**
+ * Match a route's configured origin policy against the request origin,
+ * preserving the expose() path's historical contract: `*` returns `true`
+ * (literal wildcard), an allowed concrete origin echoes back, and a
+ * mismatch returns `null`. Delegates the per-rule decision to the shared
+ * cors.js resolver (so RegExp + function policies work here too) but keeps
+ * the wildcard-as-`true` and echo-vs-null shape this caller expects.
+ *
+ * @param {string|string[]|RegExp|((origin: string) => boolean)} configured
+ * @param {string} origin
+ * @returns {true | string | null}
+ */
 function matchOrigin(configured, origin) {
   if (configured === '*') return true;
-  if (Array.isArray(configured)) return configured.includes(origin) ? origin : null;
-  return configured === origin ? origin : null;
+  const resolved = resolveOrigin(configured, origin, false);
+  if (!resolved) return null;
+  return resolved.allowOrigin === '*' ? true : resolved.allowOrigin;
 }
 
 /**
@@ -408,7 +438,9 @@ export async function invokeExposedAction(idx, route, params, req) {
   const query = Object.fromEntries(url.searchParams.entries());
   let body = {};
   if (req.method !== 'GET' && req.method !== 'HEAD') {
-    const text = await req.text();
+    // Bounded read (issue #237): an over-limit body is a 413 before any parse.
+    const { tooLarge, text } = await readTextBounded(req, jsonBodyLimit());
+    if (tooLarge) return payloadTooLarge();
     if (text) {
       try {
         const parsed = JSON.parse(text);

package/src/api.js

@@ -25,7 +25,22 @@ export async function handleApi(route, params, webRequest, dev) {
     });
   }
   /** @type any */ (webRequest).params = params;
-  const result = await handler(webRequest, { params });
+  let result;
+  try {
+    result = await handler(webRequest, { params });
+  } catch (e) {
+    // A route handler that read its body via `readBody` (json.js) over the
+    // size limit (issue #237) throws a BodyLimitError; surface it as 413 rather
+    // than a generic 500. Detected via a marker so a cross-module-copy
+    // instanceof miss never downgrades it.
+    if (e && /** @type any */ (e).webjsBodyLimit) {
+      return new Response('Payload Too Large', {
+        status: 413,
+        headers: { 'content-type': 'text/plain; charset=utf-8' },
+      });
+    }
+    throw e;
+  }
   if (result instanceof Response) return result;
   // Convenience: allow returning plain objects as JSON.
   return Response.json(result);

package/src/auth.js

@@ -8,7 +8,8 @@
  */
 
 import { getStore } from './cache.js';
-import { getRequest } from './context.js';
+import { getRequest, getBodyLimits } from './context.js';
+import { readTextBounded, readFormDataBounded, payloadTooLarge, DEFAULT_MAX_BODY_BYTES } from './body-limit.js';
 
 const enc = new TextEncoder();
 const dec = new TextDecoder();
@@ -409,10 +410,24 @@ export function createAuth(config) {
       const provider = providers.get(seg[1]);
       if (!provider) return new Response('Unknown provider', { status: 404 });
       if (provider.type === 'credentials') {
+        // Bounded body read (issue #237): the credentials sign-in endpoint is
+        // public and unauthenticated, so cap its body to defend against
+        // memory exhaustion. Credentials are small fixed-shape JSON / form
+        // data, so the JSON / RPC limit applies. An over-limit body is a 413
+        // before any parse, and is never buffered whole (see body-limit.js).
+        const limits = getBodyLimits();
+        const limit = limits ? limits.json : DEFAULT_MAX_BODY_BYTES;
         let body = {};
         const ct = req.headers.get('content-type') || '';
-        if (ct.includes('json')) body = await req.json();
-        else if (ct.includes('form')) { const fd = await req.formData(); for (const [k, v] of fd.entries()) body[k] = v; }
+        if (ct.includes('json')) {
+          const { tooLarge, text } = await readTextBounded(req, limit);
+          if (tooLarge) return payloadTooLarge();
+          body = text ? JSON.parse(text) : {};
+        } else if (ct.includes('form')) {
+          const { tooLarge, formData } = await readFormDataBounded(req, limit);
+          if (tooLarge) return payloadTooLarge();
+          for (const [k, v] of formData.entries()) body[k] = v;
+        }
         return signInFn('credentials', body, { req });
       }
       if (provider.type === 'oauth') return oauthRedirect(provider, { req });

package/src/body-limit.js

@@ -0,0 +1,291 @@
+/**
+ * Request body-size limits (413) and node:http server timeouts (issue #237).
+ *
+ * webjs's prod server reads request bodies on three paths: the server-action
+ * RPC endpoint (actions.js), `route.{js,ts}` handlers via `readBody` (json.js),
+ * and the no-JS page-action form path (page-action.js). Without a cap, an
+ * uncapped body is a memory-exhaustion vector. This module is the SINGLE place
+ * that decides the limit and performs a bounded read, so every body-read site
+ * enforces it uniformly.
+ *
+ * Two ideas, both web-standard / node:http-native, no library:
+ *
+ *   1. A bounded read. `readTextBounded` / `readFormDataBounded` reject a body
+ *      over the configured limit with a 413 WITHOUT buffering the whole thing:
+ *      a `Content-Length` over the limit is a fast reject (the body is never
+ *      read), and a chunked/streamed body without `Content-Length` is counted
+ *      while it streams and abandoned the moment it crosses the limit (so the
+ *      process never holds more than roughly one chunk past the limit).
+ *
+ *   2. Server timeouts. `computeServerTimeouts` derives the `requestTimeout`,
+ *      `headersTimeout`, and `keepAliveTimeout` values applied to the node:http
+ *      server in `startServer`, with secure production defaults and config / env
+ *      overrides. node semantics: `headersTimeout` MUST be < `requestTimeout`
+ *      (node measures the header-receipt deadline from the start of the request,
+ *      so a headers deadline at or above the whole-request deadline can never
+ *      fire), so the helper clamps it below `requestTimeout` when a config sets
+ *      them inconsistently.
+ */
+
+/** Default JSON / RPC body cap: 1 MiB. Generous for an action payload. */
+export const DEFAULT_MAX_BODY_BYTES = 1024 * 1024;
+
+/**
+ * Default form / multipart body cap: 10 MiB. A form submission (the page-action
+ * path) may legitimately carry more than a JSON RPC call (a textarea, a small
+ * upload), so it gets a separate, higher, still-bounded limit. Large file
+ * uploads are a distinct concern (#247) with their own streaming story.
+ */
+export const DEFAULT_MAX_MULTIPART_BYTES = 10 * 1024 * 1024;
+
+/**
+ * Thrown by `readBody` (json.js) when a route handler's body exceeds the limit.
+ * The RPC and page-action paths return a 413 Response inline, but `readBody`
+ * runs INSIDE a user route handler and returns parsed data, so it signals the
+ * over-limit case by throwing. The API dispatcher (`handleApi`) catches this and
+ * maps it to a 413, so a handler that just does `await readBody(req)` gets the
+ * correct status with no extra code.
+ */
+export class BodyLimitError extends Error {
+  constructor() {
+    super('Payload Too Large');
+    this.name = 'BodyLimitError';
+    /** Marker so `handleApi` can detect it without an instanceof across module copies. */
+    this.webjsBodyLimit = true;
+  }
+}
+
+/** requestTimeout: time to receive the ENTIRE request (headers + body). 30s. */
+export const DEFAULT_REQUEST_TIMEOUT_MS = 30_000;
+
+/**
+ * headersTimeout: time to receive the request headers. Must be < requestTimeout
+ * (node measures both from the same request start, so an equal-or-greater value
+ * never fires). 20s is comfortably under the 30s whole-request deadline.
+ */
+export const DEFAULT_HEADERS_TIMEOUT_MS = 20_000;
+
+/** keepAliveTimeout: idle time before closing a kept-alive socket. 5s. */
+export const DEFAULT_KEEP_ALIVE_TIMEOUT_MS = 5_000;
+
+/**
+ * Read a non-negative integer from an env var, or undefined when unset / blank /
+ * not a finite non-negative integer. A value of `0` is honored (it disables the
+ * limit / timeout), so the check is on parseability, not truthiness.
+ *
+ * @param {string | undefined} raw
+ * @returns {number | undefined}
+ */
+function envInt(raw) {
+  if (raw == null || raw === '') return undefined;
+  const n = Number(raw);
+  if (!Number.isFinite(n) || n < 0 || !Number.isInteger(n)) return undefined;
+  return n;
+}
+
+/**
+ * Read a non-negative integer from a package.json `webjs.<key>` value, or
+ * undefined when absent / not a finite non-negative integer.
+ *
+ * @param {unknown} pkg parsed package.json (or any object)
+ * @param {string} key the `webjs.<key>` field name
+ * @returns {number | undefined}
+ */
+function pkgInt(pkg, key) {
+  const v =
+    pkg && typeof pkg === 'object' && /** @type {any} */ (pkg).webjs
+      ? /** @type {any} */ (pkg).webjs[key]
+      : undefined;
+  if (typeof v !== 'number' || !Number.isFinite(v) || v < 0 || !Number.isInteger(v)) {
+    return undefined;
+  }
+  return v;
+}
+
+/**
+ * Resolve the body-size limits. Precedence: env override wins, then the
+ * package.json `webjs.maxBodyBytes` / `webjs.maxMultipartBytes` config, then the
+ * secure defaults. A value of `0` (from env or config) disables that limit, the
+ * deliberate opt-out (e.g. an app fronted by an edge that already caps bodies).
+ *
+ *   WEBJS_MAX_BODY_BYTES        -> json / rpc cap
+ *   WEBJS_MAX_MULTIPART_BYTES   -> form / multipart cap
+ *
+ * @param {unknown} pkg parsed package.json (or any object)
+ * @param {{ env?: NodeJS.ProcessEnv }} [opts] injectable env (tests)
+ * @returns {{ json: number, multipart: number }} resolved byte limits (0 = off)
+ */
+export function readBodyLimits(pkg, opts = {}) {
+  const env = opts.env || process.env;
+  const json =
+    envInt(env.WEBJS_MAX_BODY_BYTES) ??
+    pkgInt(pkg, 'maxBodyBytes') ??
+    DEFAULT_MAX_BODY_BYTES;
+  const multipart =
+    envInt(env.WEBJS_MAX_MULTIPART_BYTES) ??
+    pkgInt(pkg, 'maxMultipartBytes') ??
+    DEFAULT_MAX_MULTIPART_BYTES;
+  return { json, multipart };
+}
+
+/**
+ * Resolve the node:http server timeouts. Precedence mirrors `readBodyLimits`:
+ * env override, then package.json `webjs.requestTimeoutMs` /
+ * `webjs.headersTimeoutMs` / `webjs.keepAliveTimeoutMs`, then the defaults. A
+ * value of `0` disables that timeout (node's own "no limit" sentinel).
+ *
+ *   WEBJS_REQUEST_TIMEOUT_MS
+ *   WEBJS_HEADERS_TIMEOUT_MS
+ *   WEBJS_KEEP_ALIVE_TIMEOUT_MS
+ *
+ * node semantics enforced here: `headersTimeout` MUST be strictly less than
+ * `requestTimeout` to fire (both deadlines run from the same request start). So
+ * when a non-zero `headersTimeout` is >= a non-zero `requestTimeout`, clamp it
+ * to just under `requestTimeout` rather than silently shipping a dead timeout.
+ *
+ * @param {unknown} pkg parsed package.json (or any object)
+ * @param {{ env?: NodeJS.ProcessEnv }} [opts] injectable env (tests)
+ * @returns {{ requestTimeout: number, headersTimeout: number, keepAliveTimeout: number }}
+ */
+export function computeServerTimeouts(pkg, opts = {}) {
+  const env = opts.env || process.env;
+  const requestTimeout =
+    envInt(env.WEBJS_REQUEST_TIMEOUT_MS) ??
+    pkgInt(pkg, 'requestTimeoutMs') ??
+    DEFAULT_REQUEST_TIMEOUT_MS;
+  let headersTimeout =
+    envInt(env.WEBJS_HEADERS_TIMEOUT_MS) ??
+    pkgInt(pkg, 'headersTimeoutMs') ??
+    DEFAULT_HEADERS_TIMEOUT_MS;
+  const keepAliveTimeout =
+    envInt(env.WEBJS_KEEP_ALIVE_TIMEOUT_MS) ??
+    pkgInt(pkg, 'keepAliveTimeoutMs') ??
+    DEFAULT_KEEP_ALIVE_TIMEOUT_MS;
+  // Keep headersTimeout strictly under requestTimeout so it can actually fire.
+  // Both are measured from the same request start; a headers deadline at or
+  // above the whole-request deadline is dead. Skip when either is 0 (disabled).
+  if (requestTimeout > 0 && headersTimeout >= requestTimeout) {
+    headersTimeout = Math.max(1, requestTimeout - 1000);
+  }
+  return { requestTimeout, headersTimeout, keepAliveTimeout };
+}
+
+/**
+ * A 413 Payload Too Large response, returned by every body-read site when the
+ * bounded read trips the limit. Tiny plain-text body so it stays content-type
+ * agnostic; the caller never needs to vary it.
+ *
+ * @returns {Response}
+ */
+export function payloadTooLarge() {
+  return new Response('Payload Too Large', {
+    status: 413,
+    headers: { 'content-type': 'text/plain; charset=utf-8' },
+  });
+}
+
+/**
+ * Read a request body as bytes, bounded by `limit`. The single funnel both text
+ * and FormData readers go through.
+ *
+ *   - `limit <= 0` disables the cap (read the whole body).
+ *   - A `Content-Length` header over the limit is a FAST REJECT: the body is
+ *     never touched, so an attacker-declared huge upload costs nothing.
+ *   - Otherwise the body stream is read chunk by chunk and the running total is
+ *     checked AFTER each chunk. The moment it crosses the limit the read is
+ *     abandoned (the stream reader is cancelled) and `tooLarge` is returned, so
+ *     a chunked body with no `Content-Length` can never buffer more than the
+ *     bytes already read (roughly limit + one chunk), not the full payload.
+ *
+ * @param {Request} req
+ * @param {number} limit max bytes (0 / negative = unlimited)
+ * @returns {Promise<{ tooLarge: boolean, bytes: Uint8Array | null }>}
+ */
+export async function readBytesBounded(req, limit) {
+  // Fast reject on a declared Content-Length over the limit: never read a byte.
+  if (limit > 0) {
+    const cl = req.headers.get('content-length');
+    if (cl != null) {
+      const declared = Number(cl);
+      if (Number.isFinite(declared) && declared > limit) {
+        return { tooLarge: true, bytes: null };
+      }
+    }
+  }
+
+  const body = req.body;
+  if (!body) return { tooLarge: false, bytes: new Uint8Array(0) };
+
+  const reader = body.getReader();
+  /** @type {Uint8Array[]} */
+  const chunks = [];
+  let total = 0;
+  try {
+    for (;;) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      if (!value) continue;
+      total += value.byteLength;
+      // Enforce WHILE reading so a no-Content-Length stream can't buffer past
+      // the limit: bail the instant the running total crosses it.
+      if (limit > 0 && total > limit) {
+        // Stop pulling more bytes; release the upstream so the socket can close.
+        try { await reader.cancel(); } catch { /* already closed */ }
+        return { tooLarge: true, bytes: null };
+      }
+      chunks.push(value);
+    }
+  } finally {
+    try { reader.releaseLock(); } catch { /* reader already released */ }
+  }
+
+  // Concatenate the collected chunks into one buffer.
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.byteLength;
+  }
+  return { tooLarge: false, bytes: out };
+}
+
+/**
+ * Read a request body as text, bounded by `limit`. Used by the RPC endpoint,
+ * `readBody`, and the exposed-action REST path, all of which then parse the
+ * text (webjs wire or JSON).
+ *
+ * @param {Request} req
+ * @param {number} limit max bytes (0 / negative = unlimited)
+ * @returns {Promise<{ tooLarge: boolean, text: string }>}
+ */
+export async function readTextBounded(req, limit) {
+  const { tooLarge, bytes } = await readBytesBounded(req, limit);
+  if (tooLarge) return { tooLarge: true, text: '' };
+  const text = bytes && bytes.byteLength ? new TextDecoder().decode(bytes) : '';
+  return { tooLarge: false, text };
+}
+
+/**
+ * Read a request body as `FormData`, bounded by `limit`. Used by the page-action
+ * form path. Reconstructs a bounded Request from the already-read bytes and
+ * defers to the platform `formData()` parser, so multipart and
+ * urlencoded bodies are decoded exactly as before, just size-checked first.
+ *
+ * @param {Request} req
+ * @param {number} limit max bytes (0 / negative = unlimited)
+ * @returns {Promise<{ tooLarge: boolean, formData: FormData | null }>}
+ */
+export async function readFormDataBounded(req, limit) {
+  const { tooLarge, bytes } = await readBytesBounded(req, limit);
+  if (tooLarge) return { tooLarge: true, formData: null };
+  const ct = req.headers.get('content-type') || '';
+  // Hand the bounded bytes back to a fresh Request so its standard formData()
+  // parser (multipart boundary handling, urlencoded decoding) runs unchanged.
+  const bounded = new Request(req.url, {
+    method: 'POST',
+    headers: ct ? { 'content-type': ct } : undefined,
+    body: bytes && bytes.byteLength ? bytes : undefined,
+  });
+  const formData = await bounded.formData();
+  return { tooLarge: false, formData };
+}

package/src/context.js

@@ -10,7 +10,17 @@ import { setCspNonceProvider, cspNonce } from '@webjsdev/core';
  *
  * Strictly server-side: importing this module on the client is a bug.
  *
- * @typedef {{ req: Request }} Store
+ * `cspNonce` holds the per-request CSP nonce when CSP is enabled
+ * (issue #233). It is minted in the request handler and written here via
+ * `setCspNonce`, so the same value the `Content-Security-Policy` header
+ * carries is what `cspNonce()` returns for the inline boot script.
+ *
+ * `bodyLimits` holds the resolved request body-size caps (issue #237) so
+ * `readBody` (used inside `route.{js,ts}` handlers, which have no handle to the
+ * server state) can enforce the same limit the RPC and page-action paths do. The
+ * handler writes it per request via `setBodyLimits`.
+ *
+ * @typedef {{ req: Request, cspNonce?: string, bodyLimits?: { json: number, multipart: number } }} Store
  */
 
 /** @type {AsyncLocalStorage<Store>} */
@@ -33,10 +43,52 @@ export function getRequest() {
 }
 
 /**
- * Server-only implementation of the CSP nonce reader: pulls the
- * current request from AsyncLocalStorage, parses the
- * `script-src 'nonce-...'` value from its CSP header, returns ''
- * when none in scope.
+ * Set the per-request CSP nonce on the current AsyncLocalStorage store.
+ * Called by the request handler when CSP is enabled, AFTER it mints the
+ * nonce and BEFORE the page renders, so `cspNonce()` returns this exact
+ * value during SSR (the same value the response's
+ * `Content-Security-Policy` header carries: one source, no drift).
+ *
+ * A no-op outside a request scope, or when CSP is disabled (the handler
+ * simply never calls it, so the store's `cspNonce` stays undefined and
+ * `cspNonce()` falls through to '').
+ *
+ * @param {string} nonce
+ */
+export function setCspNonce(nonce) {
+  const store = als.getStore();
+  if (store) store.cspNonce = nonce;
+}
+
+/**
+ * Set the per-request resolved body-size limits on the current store (issue
+ * #237). The handler computes them once at boot (`readBodyLimits`) and stamps
+ * them on every request so `readBody` (json.js), which runs inside route
+ * handlers with no access to the server state, can enforce the same cap.
+ *
+ * @param {{ json: number, multipart: number }} limits
+ */
+export function setBodyLimits(limits) {
+  const store = als.getStore();
+  if (store) store.bodyLimits = limits;
+}
+
+/**
+ * Read the per-request body-size limits, or null outside a request scope.
+ * @returns {{ json: number, multipart: number } | null}
+ */
+export function getBodyLimits() {
+  return als.getStore()?.bodyLimits ?? null;
+}
+
+/**
+ * Server-only implementation of the CSP nonce reader. Returns the
+ * per-request nonce that the handler MINTED and stored (issue #233) when
+ * CSP is enabled. Falls back to parsing an INBOUND
+ * `Content-Security-Policy` request header (the legacy consume-only
+ * behaviour) so an app sitting behind a proxy that already mints a nonce
+ * still works without enabling webjs's own CSP. Returns '' when neither
+ * is in scope.
  *
  * The public `cspNonce()` function lives in `@webjsdev/core` so user
  * layouts / pages can import it without dragging server-only deps
@@ -46,18 +98,16 @@ export function getRequest() {
  * `cspNonce()` returns '' (empty `nonce=""` attribute, browser
  * ignores it).
  */
-// The regex captures the first `nonce-...` token anywhere in the CSP
-// header. Webjs uses a single per-request nonce shared across all
-// directives that emit it (the standard CSP3 single-nonce model),
-// so reading the first match is correct. If a future caller emits
-// styled inline content under a separate style nonce, this reader
-// would need to become directive-scoped. Kept identical to the
-// matching helper in ssr.js so both paths interpret the header the
-// same way.
+// The regex fallback captures the first `nonce-...` token anywhere in the
+// inbound CSP header. Webjs uses a single per-request nonce shared across
+// all directives that emit it (the standard CSP3 single-nonce model), so
+// reading the first match is correct. Kept identical to the matching
+// helper in ssr.js so both paths interpret the header the same way.
 setCspNonceProvider(() => {
-  const req = als.getStore()?.req;
-  if (!req) return '';
-  const csp = req.headers.get('content-security-policy') || '';
+  const store = als.getStore();
+  if (!store) return '';
+  if (typeof store.cspNonce === 'string') return store.cspNonce;
+  const csp = store.req?.headers.get('content-security-policy') || '';
   const match = /\bnonce-([A-Za-z0-9+/=]+)/.exec(csp);
   return match ? match[1] : '';
 });