feat: Create nosecone package for creating secure headers

[blaine-arcjet]

This implements our nosecone package and 2 adapters, Next.js and SvelteKit. These 2 frameworks have some of the best support for nonce-based CSPv3—although Next.js has the caveat of it only working in dynamic mode.

Runtimes like Bun, Deno, and Node.js can use Nosecone directly to set headers on the responses, while adapters are needed for deeper integration. Using middleware works really well for Next.js because we can force the headers to be forwarded and it even detects the nonce from the script-src directive, which it adds to each <script> tag that webpack generates. For SvelteKit, we need to provide csp in the config so it'll add the CSP header, but we also use a hook to add our additional secure headers.

Notably missing:

• Removing X-Powered-By—the frameworks don't give us access to this, we should instead just recommend it be removed.
• A Remix adapter—it needs a lot of logic to thread nonces throughout the application.
• An Express adapter—most people are already using Helmet.

[trunk-io]

😎 Merged successfully - details.

[davidmytton]

All that being said, I really don't like the generalized concept here and I think this makes more sense as a series of packages crafted for specific frameworks.

What do you think about having a central package that defines all the headers and their default values which is imported by other framework-specific packages? Then they can be natively integrated for each framework and the config can be overridden if necessary.

[blaine-arcjet]

What do you think about having a central package that defines all the headers and their default values which is imported by other framework-specific packages?

Yeah, I was thinking about it this morning and it'd be cool to provide functions that produce "good" values for use by any packages. I just need to decide on the API; my initial thought being that we could return an instance of Headers containing all of them.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@sveltejs/[email protected]	Transitive: environment, eval, filesystem, network, shell	+76	244 MB	conduitry, dominik_g, rich_harris, ...1 more
npm/[email protected]	None	0	0 B

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

[blaine-arcjet]

I've updated & cleaned up all the implementations, reached 100% code coverage on the core nosecone package, and created simple readmes for everything. I've also updated the body of the root PR with the changes/decisions made.

[davidmytton]

Will you include the @arcjet/nosecone package in this PR?

[blaine-arcjet]

Will you include the @arcjet/nosecone package in this PR?

I was going to hold off for this first release. That's mostly because I couldn't think of a good directory name for it and I expect we'll need another release quickly to deal with any issues we encounter with our integration.

[davidmytton]

Looks good! I'd suggest adding an example of how to configure the headers in the READMEs, but good for us to test internally.