Skip to content

Security Headers

Add HTTP security headers to your Next.js app via next.config.js.

Configuration

javascript
// /next.config.js
const nextConfig = {
  reactStrictMode: true,
  images: {
    domains: [
      "lh3.googleusercontent.com",  // Google OAuth profile images
      "pbs.twimg.com",              // Twitter profile images
    ],
  },
  async headers() {
    return [
      {
        source: "/(.*)",
        headers: [
          {
            key: "Strict-Transport-Security",
            value: "max-age=31536000; includeSubDomains; preload",
          },
          {
            key: "X-Frame-Options",
            value: "DENY",
          },
          {
            key: "X-Content-Type-Options",
            value: "nosniff",
          },
          {
            key: "Referrer-Policy",
            value: "strict-origin-when-cross-origin",
          },
        ],
      },
    ];
  },
};

module.exports = nextConfig;

Header Reference

HeaderValueEffect
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preloadForces HTTPS for 1 year, includes subdomains
X-Frame-OptionsDENYPrevents clickjacking — blocks iframe embedding
X-Content-Type-OptionsnosniffPrevents MIME-type sniffing attacks
Referrer-Policystrict-origin-when-cross-originLimits referrer info sent to third parties

Notes

  • These headers apply to all routes via the /(.*) source pattern
  • X-Frame-Options: DENY will break any embed of your app in an iframe — use SAMEORIGIN if you need self-embedding
  • Add more domains to images.domains if you display profile images from other providers

See Also