Appearance
Security Headers
Add HTTP security headers to your Next.js app via next.config.js.
Configuration
javascript
// /next.config.js
const nextConfig = {
reactStrictMode: true,
images: {
domains: [
"lh3.googleusercontent.com", // Google OAuth profile images
"pbs.twimg.com", // Twitter profile images
],
},
async headers() {
return [
{
source: "/(.*)",
headers: [
{
key: "Strict-Transport-Security",
value: "max-age=31536000; includeSubDomains; preload",
},
{
key: "X-Frame-Options",
value: "DENY",
},
{
key: "X-Content-Type-Options",
value: "nosniff",
},
{
key: "Referrer-Policy",
value: "strict-origin-when-cross-origin",
},
],
},
];
},
};
module.exports = nextConfig;Header Reference
| Header | Value | Effect |
|---|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains; preload | Forces HTTPS for 1 year, includes subdomains |
X-Frame-Options | DENY | Prevents clickjacking — blocks iframe embedding |
X-Content-Type-Options | nosniff | Prevents MIME-type sniffing attacks |
Referrer-Policy | strict-origin-when-cross-origin | Limits referrer info sent to third parties |
Notes
- These headers apply to all routes via the
/(.*)source pattern X-Frame-Options: DENYwill break any embed of your app in an iframe — useSAMEORIGINif you need self-embedding- Add more domains to
images.domainsif you display profile images from other providers