feat: add security headers to next.config.js (task 6.1)

Add async headers() function with X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Content-Security-Policy headers applied to all routes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 11:33:52 +01:00 · 2026-02-18 11:33:52 +01:00 · 34e543ea96
commit 34e543ea96
parent 3d8672121e
2 changed files with 31 additions and 1 deletions
--- a/next.config.js
+++ b/next.config.js
@ -1,6 +1,36 @@
 /** @type {import('next').NextConfig} */
 const nextConfig = {
  output: 'standalone',
+
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'X-Frame-Options',
+            value: 'DENY',
+          },
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff',
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'strict-origin-when-cross-origin',
+          },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=()',
+          },
+          {
+            key: 'Content-Security-Policy',
+            value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'",
+          },
+        ],
+      },
+    ]
+  },
 }

 module.exports = nextConfig