> ## Documentation Index
> Fetch the complete documentation index at: https://docs.shipthing.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 安全头信息

> 用于保护应用程序的安全头信息。

ShipThing使用[Nosecone](https://docs.arcjet.com/nosecone/quick-start)来设置与安全相关的HTTP响应头。

## 配置

以下是已启用的头信息：

* `Cross-Origin-Embedder-Policy` (COEP)
* `Cross-Origin-Opener-Policy`
* `Cross-Origin-Resource-Policy`
* `Origin-Agent-Cluster`
* `Referrer-Policy`
* `Strict-Transport-Security` (HSTS)
* `X-Content-Type-Options`
* `X-DNS-Prefetch-Control`
* `X-Download-Options`
* `X-Frame-Options`
* `X-Permitted-Cross-Domain-Policies`
* `X-XSS-Protection`

有关每个头信息和配置选项的详细信息，请参阅[Nosecone参考文档](https://docs.arcjet.com/nosecone/reference)。

## 使用

推荐的头信息默认已设置并配置在`zh/@repo/security/middleware`中。更改此处的配置将影响所有应用。

然后这些头信息会在中间件中附加到响应中，位于`zh/apps/app/middleware`和`zh/apps/web/middleware.ts`。调整这些文件中的配置只会影响特定的应用。

## 内容安全策略(CSP)

CSP头信息默认未设置，因为它需要根据您启用的ShipThing功能进行特定配置。

在此期间，您可以使用Nosecone配置来设置CSP头信息。例如，以下CSP配置将与默认的ShipThing功能配合使用：

```ts theme={"system"}
import type { NoseconeOptions } from '@nosecone/next';
import { defaults as noseconeDefaults } from '@nosecone/next';

const noseconeOptions: NoseconeOptions = {
  ...noseconeDefaults,
  contentSecurityPolicy: {
    ...noseconeDefaults.contentSecurityPolicy,
    directives: {
      ...noseconeDefaults.contentSecurityPolicy.directives,
      scriptSrc: [
        // We have to use unsafe-inline because next-themes and Vercel Analytics
        // do not support nonce
        // https://github.com/pacocoursey/next-themes/issues/106
        // https://github.com/vercel/analytics/issues/122
        //...noseconeDefaults.contentSecurityPolicy.directives.scriptSrc,
        "'self'",
        "'unsafe-inline'",
        "https://www.googletagmanager.com",
        "https://*.clerk.accounts.dev",
        "https://va.vercel-scripts.com",
      ],
      connectSrc: [
        ...noseconeDefaults.contentSecurityPolicy.directives.connectSrc,
        "https://*.clerk.accounts.dev",
        "https://*.google-analytics.com",
        "https://clerk-telemetry.com",
      ],
      workerSrc: [
        ...noseconeDefaults.contentSecurityPolicy.directives.workerSrc,
        "blob:",
        "https://*.clerk.accounts.dev"
      ],
      imgSrc: [
        ...noseconeDefaults.contentSecurityPolicy.directives.imgSrc,
        "https://img.clerk.com"
      ],
      objectSrc: [
        ...noseconeDefaults.contentSecurityPolicy.directives.objectSrc,
      ],
      // We only set this in production because the server may be started
      // without HTTPS
      upgradeInsecureRequests: process.env.NODE_ENV === "production",
    },
  },
}
```
