Nosecone is an open source library to set security headers like Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) on Next.js, SvelteKit, and other JavaScript frameworks using Bun, Deno, or Node.js. Security headers as code.
We’re excited to announce Nosecone, an open-source library designed to make setting security headers—like Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS)—straightforward for applications built with Next.js, SvelteKit, and other JavaScript frameworks using Bun, Deno, or Node.js.
While you can always set headers manually, the complexity grows when you need environment-specific configurations, dynamic nonces for inline scripts or styles, or have many variations that need custom configuration.
Whether you’re adapting to the stricter security header requirements of PCI DSS 4.0 which comes into force in 2025 or are simply looking to enhance your app’s security, Nosecone offers:
You can use Nosecone as a standalone library or alongside the Arcjet security as code SDK to further strengthen your app’s defenses against attacks, bots, and spam.
Read our quick start guide and check the source code on GitHub.
Nosecone provides a general JS API, a middleware adapter for Next.js, and config hooks for SvelteKit to set sensible defaults. You can test them locally and easily adjust the configuration as code.
Nosecone is open source and supports the following security headers:
Content-Security-Policy (CSP)Cross-Origin-Embedder-Policy (COEP)Cross-Origin-Opener-PolicyCross-Origin-Resource-PolicyOrigin-Agent-ClusterReferrer-PolicyStrict-Transport-Security (HSTS)X-Content-Type-OptionsX-DNS-Prefetch-ControlX-Download-OptionsX-Frame-OptionsX-Permitted-Cross-Domain-PoliciesX-XSS-ProtectionThe defaults look like this:
HTTP/1.1 200 OK
content-security-policy: base-uri 'none'; child-src 'none'; connect-src 'self'; default-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' blob: data:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self';
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
referrer-policy: no-referrer
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 0
Content-Type: text/plain
Date: Wed, 27 Nov 2024 21:05:50 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunkedNosecone provides a Next.js middleware adapter to set the default headers.
Install with npm i @nosecone/next and then set up this middleware.ts file. See the docs for details.
import { createMiddleware } from "@nosecone/next";
// Remove your middleware matcher so Nosecone runs on every route.
export default createMiddleware();Nosecone provides a CSP config and a hook to set the default security headers in SvelteKit.
Install with npm i @nosecone/sveltekit and then set up this svelte.config.js file. See the docs for details.
import adapter from "@sveltejs/adapter-auto";
import { vitePreprocess } from "@sveltejs/vite-plugin-svelte";
import { csp } from "@nosecone/sveltekit"
/** @type {import('@sveltejs/kit').Config} */
const config = {
preprocess: vitePreprocess(),
kit: {
// Apply CSP with Nosecone defaults
csp: csp(),
adapter: adapter(),
},
};
export default config;With the CSP set on the SvelteKit config, you can then set up the other security headers as a hook in src/hooks.server.ts
import { createHook } from "@nosecone/sveltekit";
import { sequence } from "@sveltejs/kit/hooks";
export const handle = sequence(createHook());Nosecone can be connected to your Bun web server to directly set the security response headers.
Install with bun add nosecone and then add this to your server. See the docs for details.
import nosecone from "nosecone";
Bun.serve({
port: 3000,
async fetch(req: Request) {
return new Response("Hello world", {
headers: nosecone(),
});
},
});
Nosecone works with Deno serve to set the security headers. Install deno add npm:nosecone and then add this to your server. See the docs for details.
import nosecone from "npm:nosecone";
Deno.serve({ port: 3000 }, async (req) => {
return new Response("Hello world", {
headers: nosecone(),
});
});Nosecone can also work with Node.js applications, but if you are using Express.js (by itself or with Remix) then we recommend using Helmet, which informed much of our work on Nosecone.
Install with npm i nosecone and then set this on your Node.js server. See the docs for details.
import nosecone from "nosecone";
import * as http from "node:http";
const server = http.createServer(async function (
req: http.IncomingMessage,
res: http.ServerResponse,
) {
res.setHeaders(nosecone());
res.writeHead(200, { "Content-Type": "text/plain" });
res.end("Hello world");
});
server.listen(3000);Nosecone is open source so feel free to submit issues for any improvements or changes. We’re also on Discord if you need help!
Server actions are an elegant way to handle simple functions for common actions like form submissions, but they're a public API so you still need to consider security.
But usually it's good enough to stop 80% of the worst actors with only 20% of the effort of doing it yourself.
How to protect GraphQL backends using Arcjet. Implementing rate limiting and bot protection for Yoga + Next.js.
Get the full posts by email every week.