From bba6f2f428fdbb67ab5baeb2f7d7053aac1d8268 Mon Sep 17 00:00:00 2001
From: amirhhashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 1 Mar 2025 16:47:59 +0330
Subject: [PATCH 01/22] Improve security docs

---
 src/routes/solid-start/guides/security.mdx | 210 ++++++++++++++++++---
 1 file changed, 189 insertions(+), 21 deletions(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 7b6c2f8ab..dde11685f 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -2,35 +2,203 @@
 title: Security
 ---
 
-As a non-opinionated framework, SolidStart doesn't enforce any security practices, though it enables enables developers to implement them as needed.
-It is important to know what are the requirements for your own app and implement the fitting security measures.
-If at any point you are unsure about the security of your app, or how to achieve something within the constraints of SolidStart reach us on [Discord](https://discord.gg/solidjs).
+This guide walks you through how to implement common security mechanisms in SolidStart.
 
-Below you will find a few notes on how to establish some measures.
+## XSS (Cross Site Scripting)
 
-## Security Headers
+Solid automatically escape values passed to JSX expressions to reduce the risk of XSS attacks.
+However, this protection does not apply when using [`innerHTML`](https://docs.solidjs.com/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent).
 
-Through the use of a [middleware](/solid-start/reference/server/create-middleware#example) it is possible to tab into the `onRequest` event handlers and make sure every request going through your servers have the proper security headers set.
-With this, it is possible to setup headers like `Content-Security-Policy`, `X-Frame-Options`, `X-XSS-Protection`, `X-Content-Type-Options`, among others.
+To protect your application from XSS attacks:
 
-### Nonces
+1. Avoid using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent) when possible.
+   If you must use it, sanitize the content before rendering with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
+2. Set a Content Security Policy (CSP).
+3. Validate and sanitize user inputs.
+   Always validate form inputs on the server in addition to the client.
+4. Use the `HttpOnly` and `Secure` attributes on cookies.
 
-When using `Content-Security-Policy` it is possible to use nonces to allow inline scripts and styles to be executed.
-SolidStart enables that smoothly in the [`entry-server.tsx`](/solid-start/reference/entrypoints/entry-server).
+## CSP (Content Security Policy)
 
-By passing generating the `nonce` within a middleware and storing it in the `request.locals` object, it is possible to use it in the `entry-server.tsx` to generate the `Content-Security-Policy` header.
+To configure the `Content-Security-Policy` HTTP header, you can use a [middleware](/solid-start/advanced/middleware).
 
-## Cross Request Forgery (CSRF)
+### With nonce (recommended)
 
-There are multiple ways to add CSRF Protection to your SolidStart app.
-The quickest and most common way is to check the `request.referrer` header when the HTTP method is `POST`, `PUT`, `PATCH` or `DELETE`.
-This can also be achieved through an `onRequest` [middleware](/solid-start/reference/server/create-middleware#example).
+If you want to use a strict CSP with nonces:
 
-## Cross Site Scripting (XSS)
+1. Create a middleware that configures the CSP header, then register it to run on the [`onRequest`](/solid-start/advanced/middleware#onrequest) event.
+2. Store the nonce in the [`locals`](/solid-start/advanced/middleware#locals) object.
+3. Configure SolidStart to use the nonce in your [`entry-server.tsx`](/solid-start/reference/entrypoints/entry-server) file.
 
-SolidStart automatically escape inserts and attributes in HTML. 
-The exception is when HTML is inserted via the `innerHTML` property, which bypasses the escaping.
-Additionally, it's important to note that `<noscript>` are also outside of the purview of SolidStart, since those tags and its contents are evaluated even without JavaScript.
-It is important to sanitize any strings in attributes, especially when inside `<noscript>` tags.
+<TabsCodeBlocks>
+<div id="Middleware">
 
-As a rule-of-thumb it is recommended to avoid injecting HTML into your page as much as possible, make sure the contents of `<noscript>` are properly sanitized, and add a strict Content Security Policy to your application.
\ No newline at end of file
+```tsx
+import { createMiddleware } from "@solidjs/start/middleware";
+import { randomBytes } from "crypto";
+
+export default createMiddleware({
+	onRequest: (event) => {
+		const nonce = randomBytes(16).toString("base64");
+
+		event.locals.nonce = nonce;
+
+		const csp = `
+      default-src 'self';
+      script-src 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval';
+      object-src 'none';
+      base-uri 'none';
+      frame-ancestors 'none';
+      form-action 'self';
+    `.replace(/\s+/g, " ");
+
+		event.response.headers.set("Content-Security-Policy", csp);
+	},
+});
+```
+
+</div>
+<div id="entry-server.tsx">
+
+```tsx {6} title="src/entry-server.tsx"
+// @refresh reload
+import { createHandler, StartServer } from "@solidjs/start/server";
+
+export default createHandler(
+	() => <StartServer /* ... */ />,
+	(event) => ({ nonce: event.locals.nonce })
+);
+```
+
+</div>
+</TabsCodeBlocks>
+
+### Without nonce
+
+To configure CSP without a nonce, create a middleware that configures the CSP header, then register it to run on the [`onBeforeResponse`](/solid-start/advanced/middleware#onbeforeresponse) event:
+
+```tsx
+import { createMiddleware } from "@solidjs/start/middleware";
+
+export default createMiddleware({
+	onBeforeResponse: (event) => {
+		const csp = `
+      default-src 'self';
+      font-src 'self'  ;
+      object-src 'none';
+      base-uri 'none';
+      frame-ancestors 'none';
+      form-action 'self';
+    `.replace(/\s+/g, " ");
+
+		event.response.headers.set("Content-Security-Policy", csp);
+	},
+});
+```
+
+## CORS (Cross-Origin Resource Sharing)
+
+When you want to allow other applications to access your API endpoints, you can use a middleware to configure the CORS headers:
+
+```tsx
+import { createMiddleware } from "@solidjs/start/middleware";
+import { json } from "@solidjs/router";
+
+const TRUSTED_ORIGINS = ["https://my-app.com", "https://another-app.com"];
+
+export default createMiddleware({
+	onBeforeResponse: (event) => {
+		const { request, response } = event;
+
+		response.headers.append("Vary", "Origin, Access-Control-Request-Method");
+
+		const origin = request.headers.get("Origin");
+		const requestUrl = new URL(request.url);
+		const isApiRequest = requestUrl && requestUrl.pathname.startsWith("/api");
+
+		if (isApiRequest && origin && TRUSTED_ORIGINS.includes(origin)) {
+			// Handle preflight requests.
+			if (
+				request.method === "OPTIONS" &&
+				request.headers.get("Access-Control-Request-Method")
+			) {
+				// Preflight requests are standalone, so we immediately send a response.
+				return json(null, {
+					headers: {
+						"Access-Control-Allow-Origin": origin,
+						"Access-Control-Allow-Methods": "OPTIONS, POST, PUT, PATCH, DELETE",
+						"Access-Control-Allow-Headers": "Authorization, Content-Type",
+					},
+				});
+			}
+
+			// Handle normal requests.
+			response.headers.set("Access-Control-Allow-Origin", origin);
+		}
+	},
+});
+```
+
+## CSRF (Cross-Site Request Forgery)
+
+To prevent CSRF attacks, you can use a middleware to block untrusted requests.
+
+```tsx
+import { createMiddleware } from "@solidjs/start/middleware";
+import { json } from "@solidjs/router";
+
+const SAFE_METHODS = ["GET", "HEAD", "OPTIONS", "TRACE"];
+const TRUSTED_ORIGINS = ["https://another-app.com"];
+
+export default createMiddleware({
+	onRequest: (event) => {
+		const { request } = event;
+
+		if (!SAFE_METHODS.includes(request.method)) {
+			const requestUrl = new URL(request.url);
+			const origin = request.headers.get("Origin");
+
+			// If we have an Origin header, check it against our allowlist.
+			if (origin) {
+				const parsedOrigin = new URL(origin);
+
+				if (
+					parsedOrigin.origin !== requestUrl.origin &&
+					!TRUSTED_ORIGINS.includes(parsedOrigin.host)
+				) {
+					return json({ error: "origin invalid" }, { status: 403 });
+				}
+			}
+
+			// If we are serving via TLS and have no Origin header, prevent against
+			// CSRF via HTTP man-in-the-middle attacks by enforcing strict Referer
+			// origin checks.
+			if (!origin && requestUrl.protocol === "https:") {
+				const referer = request.headers.get("Referer");
+
+				if (!referer) {
+					return json({ error: "referer not supplied" }, { status: 403 });
+				}
+
+				const parsedReferer = new URL(referer);
+
+				if (parsedReferer.protocol !== "https:") {
+					return json({ error: "referer invalid" }, { status: 403 });
+				}
+
+				if (
+					parsedReferer.host !== requestUrl.host &&
+					!TRUSTED_ORIGINS.includes(parsedReferer.host)
+				) {
+					return json({ error: "referer invalid" }, { status: 403 });
+				}
+			}
+		}
+	},
+});
+```
+
+This example demonstrates a basic implementation of CSRF protection that checks for the `Origin` and `Referer` headers and blocks requests that are not from trusted origins.
+In addition, consider implementing a more comprehensive CSRF protection mechanism such as [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
+
+We highly recommend you read through [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for more guidance.

From cd23779bfa54f546b809e9bb76227190e3f0a495 Mon Sep 17 00:00:00 2001
From: amirhhashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 1 Mar 2025 17:29:38 +0330
Subject: [PATCH 02/22] update

---
 src/routes/solid-start/guides/security.mdx | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index dde11685f..af65c3f5e 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -13,10 +13,11 @@ To protect your application from XSS attacks:
 
 1. Avoid using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent) when possible.
    If you must use it, sanitize the content before rendering with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
-2. Set a Content Security Policy (CSP).
-3. Validate and sanitize user inputs.
+2. Validate and sanitize user inputs.
    Always validate form inputs on the server in addition to the client.
-4. Use the `HttpOnly` and `Secure` attributes on cookies.
+3. Set a Content Security Policy (CSP).
+
+We highly recommend you read [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for more guidance.
 
 ## CSP (Content Security Policy)
 
@@ -141,7 +142,7 @@ export default createMiddleware({
 
 ## CSRF (Cross-Site Request Forgery)
 
-To prevent CSRF attacks, you can use a middleware to block untrusted requests.
+To prevent CSRF attacks, you can use a middleware to block untrusted requests:
 
 ```tsx
 import { createMiddleware } from "@solidjs/start/middleware";
@@ -201,4 +202,4 @@ export default createMiddleware({
 This example demonstrates a basic implementation of CSRF protection that checks for the `Origin` and `Referer` headers and blocks requests that are not from trusted origins.
 In addition, consider implementing a more comprehensive CSRF protection mechanism such as [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
 
-We highly recommend you read through [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for more guidance.
+We highly recommend you read [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for more guidance.

From b329396d30add82599eaaa5af5d91c4a02fbc9f8 Mon Sep 17 00:00:00 2001
From: amirhhashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 1 Mar 2025 17:34:08 +0330
Subject: [PATCH 03/22] update

---
 src/routes/solid-start/guides/security.mdx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index b3609de7d..3bfac4ebd 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -202,4 +202,5 @@ export default createMiddleware({
 This example demonstrates a basic implementation of CSRF protection that checks for the `Origin` and `Referer` headers and blocks requests that are not from trusted origins.
 In addition, consider implementing a more comprehensive CSRF protection mechanism such as [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
 
-We highly recommend you read [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for more guidance.
\ No newline at end of file
+We highly recommend you read [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for more guidance.
+

From 786e7fda7657130950a840b056415d7c00d35868 Mon Sep 17 00:00:00 2001
From: amirhhashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Tue, 4 Mar 2025 20:31:34 +0330
Subject: [PATCH 04/22] update

---
 src/routes/solid-start/guides/security.mdx | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 3bfac4ebd..ad44ab404 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -12,12 +12,14 @@ However, this protection does not apply when using [`innerHTML`](https://docs.so
 To protect your application from XSS attacks:
 
 1. Avoid using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent) when possible.
-   If you must use it, sanitize the content before rendering with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
+   If necessary, make sure to sanitize user-supplied data with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
 2. Validate and sanitize user inputs.
    Always validate form inputs on the server in addition to the client.
 3. Set a Content Security Policy (CSP).
+4. Sanitize attributes containing user-supplied data within `<noscript>` elements.
+   This includes both the attributes of the `<noscript>` element itself and its children.
 
-We highly recommend you read [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for more guidance.
+We highly recommend reading the [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for further guidance.
 
 ## CSP (Content Security Policy)
 
@@ -202,5 +204,4 @@ export default createMiddleware({
 This example demonstrates a basic implementation of CSRF protection that checks for the `Origin` and `Referer` headers and blocks requests that are not from trusted origins.
 In addition, consider implementing a more comprehensive CSRF protection mechanism such as [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
 
-We highly recommend you read [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for more guidance.
-
+We highly recommend reading the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for further guidance.

From 516bc8b1c6f340f4185fcdb592264d1cf14cd208 Mon Sep 17 00:00:00 2001
From: amirhhashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Tue, 4 Mar 2025 21:08:29 +0330
Subject: [PATCH 05/22] use bullet lists

---
 src/routes/solid-start/guides/security.mdx | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index ad44ab404..ff775e0fe 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -11,13 +11,13 @@ However, this protection does not apply when using [`innerHTML`](https://docs.so
 
 To protect your application from XSS attacks:
 
-1. Avoid using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent) when possible.
-   If necessary, make sure to sanitize user-supplied data with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
-2. Validate and sanitize user inputs.
-   Always validate form inputs on the server in addition to the client.
-3. Set a Content Security Policy (CSP).
-4. Sanitize attributes containing user-supplied data within `<noscript>` elements.
-   This includes both the attributes of the `<noscript>` element itself and its children.
+- Avoid using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent) when possible.
+  If necessary, make sure to sanitize user-supplied data with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
+- Validate and sanitize user inputs.
+  Always validate form inputs on the server in addition to the client.
+- Set a Content Security Policy (CSP).
+- Sanitize attributes containing user-supplied data within `<noscript>` elements.
+  This includes both the attributes of the `<noscript>` element itself and its children.
 
 We highly recommend reading the [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for further guidance.
 

From 9e9dcbf4416d9e46a48a2686b8f1d6db2a3b09c9 Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 08:14:02 +0330
Subject: [PATCH 06/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index ff775e0fe..3bb1e3412 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -2,7 +2,6 @@
 title: Security
 ---
 
-This guide walks you through how to implement common security mechanisms in SolidStart.
 
 ## XSS (Cross Site Scripting)
 

From 25b8d5aa41a875a9777a2dfb79f91ee54aae4420 Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 08:14:13 +0330
Subject: [PATCH 07/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 3bb1e3412..6f4059357 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -12,8 +12,7 @@ To protect your application from XSS attacks:
 
 - Avoid using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent) when possible.
   If necessary, make sure to sanitize user-supplied data with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
-- Validate and sanitize user inputs.
-  Always validate form inputs on the server in addition to the client.
+- Validate and sanitize user inputs, especially form inputs on the server and client.
 - Set a Content Security Policy (CSP).
 - Sanitize attributes containing user-supplied data within `<noscript>` elements.
   This includes both the attributes of the `<noscript>` element itself and its children.

From b55ce18369945266012c0f18a8d18852ac691bff Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 08:15:55 +0330
Subject: [PATCH 08/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 6f4059357..e9a30e9c6 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -19,7 +19,7 @@ To protect your application from XSS attacks:
 
 We highly recommend reading the [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for further guidance.
 
-## CSP (Content Security Policy)
+## Content Security Policy (CSP)
 
 To configure the `Content-Security-Policy` HTTP header, you can use a [middleware](/solid-start/advanced/middleware).
 

From 9ff7ede08cd67c4b0bfb3829959d35fa27ba8ad8 Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 08:16:18 +0330
Subject: [PATCH 09/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index e9a30e9c6..93fea7e67 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -17,7 +17,7 @@ To protect your application from XSS attacks:
 - Sanitize attributes containing user-supplied data within `<noscript>` elements.
   This includes both the attributes of the `<noscript>` element itself and its children.
 
-We highly recommend reading the [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for further guidance.
+It is highly recommend to reading the [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for further guidance.
 
 ## Content Security Policy (CSP)
 

From fd97efa58449de3dd8e55692286e48b0629335c5 Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 08:16:59 +0330
Subject: [PATCH 10/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 93fea7e67..0eeba5dff 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -142,7 +142,7 @@ export default createMiddleware({
 
 ## CSRF (Cross-Site Request Forgery)
 
-To prevent CSRF attacks, you can use a middleware to block untrusted requests:
+To prevent CSRF attacks, a middleware can be used to block untrusted requests:
 
 ```tsx
 import { createMiddleware } from "@solidjs/start/middleware";

From fb7263dc0564c5e63e637fe7f54c301bece8ffad Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 08:17:22 +0330
Subject: [PATCH 11/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 0eeba5dff..1195bb486 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -199,7 +199,7 @@ export default createMiddleware({
 });
 ```
 
-This example demonstrates a basic implementation of CSRF protection that checks for the `Origin` and `Referer` headers and blocks requests that are not from trusted origins.
+This example demonstrates a basic CSRF protection that verifies the `Origin` and `Referer` headers, blocking requests from untrusted origins.
 In addition, consider implementing a more comprehensive CSRF protection mechanism such as [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
 
 We highly recommend reading the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for further guidance.

From 930df93bca04cb182c8d591ab5208e4550b8b086 Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 08:17:39 +0330
Subject: [PATCH 12/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 1195bb486..5b56757e5 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -200,6 +200,6 @@ export default createMiddleware({
 ```
 
 This example demonstrates a basic CSRF protection that verifies the `Origin` and `Referer` headers, blocking requests from untrusted origins.
-In addition, consider implementing a more comprehensive CSRF protection mechanism such as [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
+Additionally, consider implementing a more robust CSRF protection mechanism, such as the [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
 
 We highly recommend reading the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for further guidance.

From 21bde21c4061d4d7ba97aba04753dda96f504bfc Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 08:17:52 +0330
Subject: [PATCH 13/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 5b56757e5..480ea7db9 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -202,4 +202,4 @@ export default createMiddleware({
 This example demonstrates a basic CSRF protection that verifies the `Origin` and `Referer` headers, blocking requests from untrusted origins.
 Additionally, consider implementing a more robust CSRF protection mechanism, such as the [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
 
-We highly recommend reading the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) for further guidance.
+For further guidance, you can look to the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).

From dc164f98bad851120f37555b3de2bc24aabdd2d8 Mon Sep 17 00:00:00 2001
From: amirhhashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 08:22:25 +0330
Subject: [PATCH 14/22] fix grammar and add link to csp in mdn

---
 src/routes/solid-start/guides/security.mdx | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 480ea7db9..404255c36 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -2,7 +2,6 @@
 title: Security
 ---
 
-
 ## XSS (Cross Site Scripting)
 
 Solid automatically escape values passed to JSX expressions to reduce the risk of XSS attacks.
@@ -13,11 +12,11 @@ To protect your application from XSS attacks:
 - Avoid using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent) when possible.
   If necessary, make sure to sanitize user-supplied data with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
 - Validate and sanitize user inputs, especially form inputs on the server and client.
-- Set a Content Security Policy (CSP).
+- Set a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
 - Sanitize attributes containing user-supplied data within `<noscript>` elements.
   This includes both the attributes of the `<noscript>` element itself and its children.
 
-It is highly recommend to reading the [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for further guidance.
+It is highly recommended to read the [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for further guidance.
 
 ## Content Security Policy (CSP)
 
@@ -202,4 +201,4 @@ export default createMiddleware({
 This example demonstrates a basic CSRF protection that verifies the `Origin` and `Referer` headers, blocking requests from untrusted origins.
 Additionally, consider implementing a more robust CSRF protection mechanism, such as the [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).
 
-For further guidance, you can look to the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).
+For further guidance, you can look at the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).

From 0660e97139cc0646d974ac15f5f3cdff18243172 Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 17:27:30 +0330
Subject: [PATCH 15/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 404255c36..1f40617cd 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -9,7 +9,7 @@ However, this protection does not apply when using [`innerHTML`](https://docs.so
 
 To protect your application from XSS attacks:
 
-- Avoid using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent) when possible.
+- Avoid using `innerHTML` when possible.
   If necessary, make sure to sanitize user-supplied data with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
 - Validate and sanitize user inputs, especially form inputs on the server and client.
 - Set a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).

From e18766c3939a32a9ca6f305fc953567e0d41b0ed Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 17:28:06 +0330
Subject: [PATCH 16/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 1f40617cd..69ac68cd9 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -5,7 +5,7 @@ title: Security
 ## XSS (Cross Site Scripting)
 
 Solid automatically escape values passed to JSX expressions to reduce the risk of XSS attacks.
-However, this protection does not apply when using [`innerHTML`](https://docs.solidjs.com/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent).
+However, this protection does not apply when using [`innerHTML`](/reference/jsx-attributes/innerhtml-or-textcontent#innerhtml-or-textcontent).
 
 To protect your application from XSS attacks:
 

From 0c9472e020fa0ada9349906abeb402487ee9abaa Mon Sep 17 00:00:00 2001
From: amirhhashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 17:32:59 +0330
Subject: [PATCH 17/22] more info about nonce

---
 src/routes/solid-start/guides/security.mdx | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 69ac68cd9..992af4927 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -24,11 +24,12 @@ To configure the `Content-Security-Policy` HTTP header, you can use a [middlewar
 
 ### With nonce (recommended)
 
-If you want to use a strict CSP with nonces:
+If you want to use a [strict CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#strict_csp) with nonces:
 
 1. Create a middleware that configures the CSP header, then register it to run on the [`onRequest`](/solid-start/advanced/middleware#onrequest) event.
-2. Store the nonce in the [`locals`](/solid-start/advanced/middleware#locals) object.
-3. Configure SolidStart to use the nonce in your [`entry-server.tsx`](/solid-start/reference/entrypoints/entry-server) file.
+2. Create a nonce using a cryptographic random value generator, such as the [`randomBytes`](https://nodejs.org/api/crypto.html#cryptorandombytessize-callback) function from the `crypto` module.
+3. Store the nonce in the [`locals`](/solid-start/advanced/middleware#locals) object.
+4. Configure SolidStart to use the nonce in your [`entry-server.tsx`](/solid-start/reference/entrypoints/entry-server) file.
 
 <TabsCodeBlocks>
 <div id="Middleware">

From 5cbc5aa8853567ac5a4642cf3ce21cb72f22365e Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 18:08:33 +0330
Subject: [PATCH 18/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 992af4927..2a775339c 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -20,7 +20,7 @@ It is highly recommended to read the [Cross Site Scripting Prevention Cheat Shee
 
 ## Content Security Policy (CSP)
 
-To configure the `Content-Security-Policy` HTTP header, you can use a [middleware](/solid-start/advanced/middleware).
+To configure the `Content-Security-Policy` HTTP header, [middleware](/solid-start/advanced/middleware) can be used.
 
 ### With nonce (recommended)
 

From b2b586c9224c0f63d129e2856c1203064a2d52df Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 18:24:58 +0330
Subject: [PATCH 19/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 2a775339c..ad78ab2c2 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -76,7 +76,7 @@ export default createHandler(
 
 ### Without nonce
 
-To configure CSP without a nonce, create a middleware that configures the CSP header, then register it to run on the [`onBeforeResponse`](/solid-start/advanced/middleware#onbeforeresponse) event:
+To configure CSP without a nonce, a middleware that sets the CSP header is required, and it should be registered to run during the [`onBeforeResponse`](/solid-start/advanced/middleware#onbeforeresponse) event:
 
 ```tsx
 import { createMiddleware } from "@solidjs/start/middleware";

From 404740b7cbce24997a052c0f8f04e2d8dda6e8e3 Mon Sep 17 00:00:00 2001
From: Amir Hossein Hashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 18:25:20 +0330
Subject: [PATCH 20/22] Update src/routes/solid-start/guides/security.mdx

Co-authored-by: Sarah <gerrardsarah@gmail.com>
---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index ad78ab2c2..1db7559cd 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -99,7 +99,7 @@ export default createMiddleware({
 
 ## CORS (Cross-Origin Resource Sharing)
 
-When you want to allow other applications to access your API endpoints, you can use a middleware to configure the CORS headers:
+When other applications need access to API endpoints, a middleware that configures the CORS headers is needed:
 
 ```tsx
 import { createMiddleware } from "@solidjs/start/middleware";

From 8d5f66f4920197a69fde6f6b4767490ff3097b74 Mon Sep 17 00:00:00 2001
From: amirhhashemi <87268103+amirhhashemi@users.noreply.github.com>
Date: Sat, 8 Mar 2025 19:57:38 +0330
Subject: [PATCH 21/22] fix grammar

---
 src/routes/solid-start/guides/security.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 1db7559cd..8dcbdf288 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -20,7 +20,7 @@ It is highly recommended to read the [Cross Site Scripting Prevention Cheat Shee
 
 ## Content Security Policy (CSP)
 
-To configure the `Content-Security-Policy` HTTP header, [middleware](/solid-start/advanced/middleware) can be used.
+To configure the `Content-Security-Policy` HTTP header, a [middleware](/solid-start/advanced/middleware) can be used.
 
 ### With nonce (recommended)
 

From 1ff3de381e0c36ea7b9a00cde8130159ba1188d5 Mon Sep 17 00:00:00 2001
From: Sarah <gerrardsarah@gmail.com>
Date: Sat, 8 Mar 2025 13:54:54 -0800
Subject: [PATCH 22/22] Update src/routes/solid-start/guides/security.mdx

---
 src/routes/solid-start/guides/security.mdx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/routes/solid-start/guides/security.mdx b/src/routes/solid-start/guides/security.mdx
index 8dcbdf288..ad249f652 100644
--- a/src/routes/solid-start/guides/security.mdx
+++ b/src/routes/solid-start/guides/security.mdx
@@ -26,7 +26,8 @@ To configure the `Content-Security-Policy` HTTP header, a [middleware](/solid-st
 
 If you want to use a [strict CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#strict_csp) with nonces:
 
-1. Create a middleware that configures the CSP header, then register it to run on the [`onRequest`](/solid-start/advanced/middleware#onrequest) event.
+1. Create a middleware that configures the CSP header.
+It must then be registered using the [`onRequest`](/solid-start/advanced/middleware#onrequest) event.
 2. Create a nonce using a cryptographic random value generator, such as the [`randomBytes`](https://nodejs.org/api/crypto.html#cryptorandombytessize-callback) function from the `crypto` module.
 3. Store the nonce in the [`locals`](/solid-start/advanced/middleware#locals) object.
 4. Configure SolidStart to use the nonce in your [`entry-server.tsx`](/solid-start/reference/entrypoints/entry-server) file.