The app currently sends responses without any HTTP security headers. This leaves it open to certain types of attacks — like someone embedding the app in an iframe on a malicious site, or a browser guessing incorrect content types for uploaded files.
This feature adds a set of standard security headers to every response from the Next.js server by configuring them in next.config.ts. These headers are checked by tools like securityheaders.com and are a baseline expectation for any professional web application.
No visible change for users — this is purely protective infrastructure that runs silently in the background.
What needs to be built
- X-Frame-Options: DENY to prevent clickjacking
- X-Content-Type-Options: nosniff to prevent MIME sniffing
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy to restrict access to camera, microphone unless needed
- Content-Security-Policy in report-only mode first, then enforced after testing
- All headers configured in next.config.ts headers() function
The app currently sends responses without any HTTP security headers. This leaves it open to certain types of attacks — like someone embedding the app in an iframe on a malicious site, or a browser guessing incorrect content types for uploaded files.
This feature adds a set of standard security headers to every response from the Next.js server by configuring them in next.config.ts. These headers are checked by tools like securityheaders.com and are a baseline expectation for any professional web application.
No visible change for users — this is purely protective infrastructure that runs silently in the background.
What needs to be built