next headers

alexsharamok · Sep 21, 2023 · 61b3d3b · 61b3d3b
1 parent 94aeb8a
commit 61b3d3b
Showing 1 changed file with 55 additions and 0 deletions.
diff --git a/next.config.js b/next.config.js
@@ -15,6 +15,61 @@ const nextConfig = {
     ],
     deviceSizes: [320, 420, 640, 768, 1024, 1280, 1536],
   },
+  headers: async () => [
+    {
+      // https://nextjs.org/docs/advanced-features/security-headers
+      // Apply these headers to all routes in your application.
+      source: '/:path*',
+      headers: [
+        {
+          key: 'Content-Security-Policy',
+          value: `${ContentSecurityPolicy.join(
+            ' '
+          )}; base-uri 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self' https://uniform.app; img-src 'self' https: data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests `,
+        },
+        {
+          key: 'X-XSS-Protection',
+          value: '1; mode=block',
+        },
+        {
+          key: 'X-Content-Type-Options',
+          value: 'nosniff',
+        },
+        {
+          key: 'Referrer-Policy',
+          value: 'No-Referrer',
+        },
+        {
+          key: 'Permissions-Policy',
+          value: 'camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=()',
+        },
+        {
+          key: 'Strict-Transport-Security',
+          value: 'max-age=63072000; includeSubDomains; preload',
+        },
+        {
+          key: 'Custom-Uniform',
+          value: 'uni-header',
+        },
+        {
+          key: 'Cross-Origin-Embedder-Policy',
+          value: 'unsafe-none',
+        },
+        {
+          key: 'Cross-Origin-Opener-Policy',
+          value: 'same-origin',
+        },
+        {
+          key: 'Cross-Origin-Resource-Policy',
+          value: 'same-origin',
+        },
+        {
+          key: 'X-Frame-Options',
+          value: 'SAMEORIGIN',
+        },
+      ],
+    },
+  ],
 };
 
 module.exports = nextConfig;