Skip to content

Security: Add Security Headers via next.config.ts #83

Description

@aniruddhaadak80

The app currently sends responses without any HTTP security headers. This leaves it open to certain types of attacks — like someone embedding the app in an iframe on a malicious site, or a browser guessing incorrect content types for uploaded files.

This feature adds a set of standard security headers to every response from the Next.js server by configuring them in next.config.ts. These headers are checked by tools like securityheaders.com and are a baseline expectation for any professional web application.

No visible change for users — this is purely protective infrastructure that runs silently in the background.

What needs to be built

  • X-Frame-Options: DENY to prevent clickjacking
  • X-Content-Type-Options: nosniff to prevent MIME sniffing
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy to restrict access to camera, microphone unless needed
  • Content-Security-Policy in report-only mode first, then enforced after testing
  • All headers configured in next.config.ts headers() function

Metadata

Metadata

Assignees

No one assigned

    Labels

    backendRelates to server-side logic or databasedevopsCI/CD, deployments, infrastructureenhancementNew feature or requestsecuritySecurity enhancements

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions