| 1 | ---
|
| 2 | title: Security
|
| 3 | ---
|
| 4 |
|
| 5 | # Security
|
| 6 |
|
| 7 | [MODES: framework]
|
| 8 |
|
| 9 | <br/>
|
| 10 | <br/>
|
| 11 |
|
| 12 | This is by no means a comprehensive guide, but React Router provides features to help address a few aspects under the _very large_ umbrella that is _Security_.
|
| 13 |
|
| 14 | ## `Content-Security-Policy`
|
| 15 |
|
| 16 | If you are implementing a [Content-Security-Policy (CSP)][csp] in your application, specifically one using the `unsafe-inline` directive, you will need to specify a [`nonce`][nonce] attribute on the inline `<script>` elements rendered in your HTML. This must be specified on any API that generates inline scripts, including:
|
| 17 |
|
| 18 | - [`<Scripts nonce>`][scripts] (`root.tsx`)
|
| 19 | - [`<ScrollRestoration nonce>`][scrollrestoration] (`root.tsx`)
|
| 20 | - [`<ServerRouter nonce>`][serverrouter] (`entry.server.tsx`)
|
| 21 | - [`renderToPipeableStream(..., { nonce })`][renderToPipeableStream] (`entry.server.tsx`)
|
| 22 | - [`renderToReadableStream(..., { nonce })`][renderToReadableStream] (`entry.server.tsx`)
|
| 23 |
|
| 24 | [csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
|
| 25 | [nonce]: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce
|
| 26 | [renderToPipeableStream]: https://react.dev/reference/react-dom/server/renderToPipeableStream
|
| 27 | [renderToReadableStream]: https://react.dev/reference/react-dom/server/renderToReadableStream
|
| 28 | [scripts]: ../api/components/Scripts
|
| 29 | [scrollrestoration]: ../api/components/ScrollRestoration
|
| 30 | [serverrouter]: ../api/framework-routers/ServerRouter
|