Merge pull request #35 from jagaapple/release/v2.1.0

# New Features
- Add support for Node.js 14 #36
- Add support for chain-case directive styles to CSP #40


# Changes and Fixes
- Update dependencies #34
- Fix readme #37
- Fix `report-to` directive #38
- Fix metadata #39

.github/workflows/build-and-test.yml

@@ -20,7 +20,7 @@ jobs:
     needs: "parameters"
     strategy:
       matrix:
-        node: ["10.15", "12.13"]
+        node: ["10.15", "12.13", "14.15"]
     steps:
       - uses: "actions/checkout@v2"
       - name: "Use Node.js"
@@ -43,7 +43,7 @@ jobs:
     runs-on: "ubuntu-latest"
     strategy:
       matrix:
-        node: ["10.15", "12.13"]
+        node: ["10.15", "12.13", "14.15"]
     steps:
       - uses: "actions/checkout@v2"
       - name: "Use Node.js"
@@ -72,7 +72,7 @@ jobs:
     runs-on: "ubuntu-latest"
     strategy:
       matrix:
-        node: ["10.15", "12.13"]
+        node: ["10.15", "12.13", "14.15"]
     steps:
       - uses: "actions/checkout@v2"
       - name: "Use Node.js"

.node-version

@@ -1 +1 @@
-10.15.3
+12.20.0

.vscode/settings.json

@@ -10,6 +10,9 @@
   "editor.rulers": [
     128
   ],
+  "editor.codeActionsOnSave": {
+    "source.fixAll.eslint": true
+  },
 
 
   // ---------------------------------------------------------------------------------------------------------------------------
@@ -29,22 +32,25 @@
     "lib/**": true
   },
 
-  // Specifies the folder path containing the tsserver and lib*.d.ts files to use.
-  "typescript.tsdk": "node_modules/typescript/lib",
-
 
   // ---------------------------------------------------------------------------------------------------------------------------
   // Extensions
   // ---------------------------------------------------------------------------------------------------------------------------
   // ESLint
-  "editor.codeActionsOnSave": {
-    "source.fixAll.eslint": true
-  },
+  "eslint.validate": [
+    "javascript",
+    "javascriptreact",
+    "typescript",
+    "typescriptreact"
+  ],
 
 
   // ---------------------------------------------------------------------------------------------------------------------------
   // Language Setings
   // ---------------------------------------------------------------------------------------------------------------------------
+  // Specifies the folder path containing the tsserver and lib*.d.ts files to use.
+  "typescript.tsdk": "./node_modules/typescript/lib",
+
   "[javascript]": {
     "editor.formatOnSave": true
   },

CHANGELOG.md

@@ -1,4 +1,16 @@
 # Changelog
+## 2.1.0 (2020-12-27)
+- Add support for Node.js 14 #36 - [@jagaapple](https://github.com/jagaapple)
+- Add support for chain-case directive styles to CSP #40 - [@jagaapple](https://github.com/jagaapple)
+- Fix readme #37 - [@jagaapple](https://github.com/jagaapple)
+- Fix `invalid bin field` warning #39 - [@jagaapple](https://github.com/jagaapple)
+- Fix `report-to` directive #38
+  - Fix parse processes
+  - Fix invalid value like `undefined <directive-name>` when `report-uri` or `report-to` is specified
+- Improve development environment
+  - Update dependencies #34 - [@jagaapple](https://github.com/jagaapple)
+  - Change Node.js version in development #34 - [@jagaapple](https://github.com/jagaapple)
+
 ## 2.0.0 (2020-08-08)
 - Add support for static pages without any servers 🎉
   - Add `createSecureHeaders` function #25 - [@jagaapple](https://github.com/jagaapple)

README.md

@@ -26,7 +26,7 @@ module.exports = {
 
 <div align="center">
 <a href="https://www.npmjs.com/package/next-secure-headers"><img src="https://img.shields.io/npm/v/next-secure-headers.svg" alt="npm"></a>
-<a href="https://github.com/jagaapple/next-secure-headers/actions"><img src="https://github.com/jagaapple/next-secure-headers/workflows/Build%20and%20test/badge.svg" alt="GitHub Actions"></a>
+<a href="https://github.com/jagaapple/next-secure-headers/actions?query=workflow%3A%22Build+and+test%22"><img src="https://github.com/jagaapple/next-secure-headers/workflows/Build%20and%20test/badge.svg" alt="GitHub Actions"></a>
 <a href="https://codecov.io/gh/jagaapple/next-secure-headers"><img src="https://img.shields.io/codecov/c/github/jagaapple/next-secure-headers.svg"></a>
 <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/github/license/jagaapple/next-secure-headers.svg" alt="license"></a>
 <a href="https://twitter.com/jagaapple_tech"><img src="https://img.shields.io/badge/contact-%40jagaapple_tech-blue.svg" alt="@jagaapple_tech"></a>
@@ -150,6 +150,12 @@ One is to use `createSecureHeaders` in `next.config.js` , and another is to use
 > ❗️ **Next.js 9.5 or higher is required.**
 > `headers` function has been supported since Next.js 9.5, so you have to use Next.js 9.5 or higher if you want to use this way.
 
+> 🤔 **For Next.js 10 and I18n routes.**
+> If your project uses Next.js 10 and built-in I18n routes, and you want to apply rules for all pages, you have to specify
+> `"/:path*"` to `source` property instead of `"/(.*)"` .
+> Conversely, if your project doesn't use I18n routes even if using Next.js 10, you have to specify `"/(.*)"` instead.
+> These limitations are maybe bugs in Next.js .
+
 This way uses `createSecureHeaders` function and [a built-in header configuration way by Next.js](https://nextjs.org/docs/api-reference/next.config.js/headers).
 This is not required any servers, can be used in static pages, and can retain [Automatic Static Optimization](https://nextjs.org/docs/advanced-features/automatic-static-optimization).
 If your project does not use any servers (using static pages or SSG) or you have just created a Next.js project, I recommend retaining static pages and adopting this way.
@@ -351,7 +357,7 @@ blocks many XSS attacks, but Content Security Policy is recommended to use compa
           & Partial<{
             navigateTo: string | string[];
             reportURI: string | URL | (string | URL)[];
-            reportTo: Record<string, any>;
+            reportTo: string;
           }>;
         reportOnly?: boolean;
       };
@@ -367,6 +373,8 @@ non-allowed resources.
 
 If you give true to `reportOnly` , this sets "Content-Security-Policy-Report-Only" to value instead of "Content-Security-Policy".
 
+Also you can specify directives using chain-case names such as `child-src` instead of `childSrc` .
+
 ### `expectCT`
 ```ts
 {

example-hoc/package.json → example-hoc-9/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "next-secure-headers-example-hoc",
+  "name": "next-secure-headers-example-hoc-9",
   "version": "1.0.0",
   "scripts": {
     "dev": "next dev",

example-hoc/pages/index.tsx → example-hoc-9/pages/index.tsx

@@ -1,4 +1,5 @@
 import Head from "next/head";
+import Link from "next/link";
 
 const Page = () => (
   <>
@@ -11,8 +12,12 @@ const Page = () => (
       This page doesn't use <code>next-secure-headers</code>, but <code>_app.tsx</code> use instead.
     </p>
     <p>
-      Check actual response headers from <code>Developer Tools > Network > Response Headers</code> in your web browser.
+      Check actual response headers from <code>Developer Tools &gt; Network &gt; Response Headers</code> in your web browser.
     </p>
+
+    <Link href="/second">
+      <a>Move to the second page</a>
+    </Link>
   </>
 );
 

example-hoc-9/pages/second.tsx

@@ -0,0 +1,20 @@
+import Head from "next/head";
+import Link from "next/link";
+
+const Page = () => (
+  <>
+    <Head>
+      <title>next-secure-headers Example (the second page)</title>
+    </Head>
+
+    <h1>The second page</h1>
+
+    <hr />
+
+    <Link href="/">
+      <a>Move to the top page</a>
+    </Link>
+  </>
+);
+
+export default Page;

example-static-10-i18n/next.config.js

@@ -0,0 +1,23 @@
+const { createSecureHeaders } = require("next-secure-headers");
+
+module.exports = {
+  poweredByHeader: false,
+  i18n: { locales: ["en", "ja"], defaultLocale: "en", },
+  async headers() {
+    return [
+      {
+        source: "/:path*",
+        headers: createSecureHeaders({
+          contentSecurityPolicy: {
+            directives: {
+              defaultSrc: "'self'",
+              styleSrc: ["'self'", "https://stackpath.bootstrapcdn.com"],
+            },
+          },
+          forceHTTPSRedirect: [true, { maxAge: 60 * 60 * 24 * 4, includeSubDomains: true }],
+          referrerPolicy: "same-origin",
+        }),
+      },
+    ];
+  },
+};