Generated nonce for secure headers middleware uses NodeJS Buffer API

[rmarscher]

What is the feature you are proposing?

I would like to use the secure headers NONCE value using only web platform APIs. It currently uses Buffer.from() to convert the data to base64.

• feat(secure-headers): enable to set nonce in CSP #2577
• https://github.com/honojs/hono/blob/v4.3.8/src/middleware/secure-headers/index.ts#L115

With Cloudflare Workers, that requires enabling nodejs_compat.

oslo.js contains an alternate implementation that does not require NodeJS APIs. It works for me, but I can understand you might not want to add a new dependency.

• https://oslo.js.org/reference/encoding/base64
• https://github.com/pilcrowOnPaper/oslo/blob/main/src/encoding/base64.ts

import { base64 } from "oslo/encoding"

const generateNonce = () => {
  const buffer = new Uint8Array(16)
  crypto.getRandomValues(buffer)
  return base64.encode(buffer)
}

It may be possible to use a different Buffer or base64 polyfill.

[yusukebe]

Hi @rmarscher

Thanks. This will be fixed in the next minor release. Please wait a bit.