Skip to content

Commit

Permalink
Configure secure nextjs headers
Browse files Browse the repository at this point in the history
andychase committed Oct 28, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 90e9ce6 commit a75fcd3
Showing 1 changed file with 35 additions and 0 deletions.
35 changes: 35 additions & 0 deletions next.config.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,18 @@
const { i18n } = require('./next-i18next.config');

const cspHeader = `
default-src 'self';
script-src 'self' 'unsafe-eval' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' blob: data:;
font-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'none';
upgrade-insecure-requests;
`

/** @type {import('next').NextConfig} */
const nextConfig = {
i18n,
@@ -13,6 +26,28 @@ const nextConfig = {

return config;
},

async headers() {
return [
{
source: "/(.*)",
headers: [
{
key: "Content-Security-Policy",
value: cspHeader.replace(/\n/g, ''),
},
{
key: "X-Content-Type-Options",
value: "nosniff",
},
{
key: "Strict-Transport-Security",
value: "max-age=31536000; includeSubDomains; preload",
},
],
},
];
},
};

module.exports = nextConfig;

0 comments on commit a75fcd3

Please sign in to comment.