Configure secure nextjs headers

USEPA · Oct 28, 2024 · a75fcd3 · a75fcd3
1 parent 90e9ce6
commit a75fcd3
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/next.config.js b/next.config.js
@@ -1,5 +1,18 @@
 const { i18n } = require('./next-i18next.config');
 
+const cspHeader = `
+    default-src 'self';
+    script-src 'self' 'unsafe-eval' 'unsafe-inline';
+    style-src 'self' 'unsafe-inline';
+    img-src 'self' blob: data:;
+    font-src 'self';
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    upgrade-insecure-requests;
+`
+
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   i18n,
@@ -13,6 +26,28 @@ const nextConfig = {
 
     return config;
   },
+
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          {
+            key: "Content-Security-Policy",
+            value: cspHeader.replace(/\n/g, ''),
+          },
+          {
+            key: "X-Content-Type-Options",
+            value: "nosniff",
+          },
+          {
+            key: "Strict-Transport-Security",
+            value: "max-age=31536000; includeSubDomains; preload",
+          },
+        ],
+      },
+    ];
+  },
 };
 
 module.exports = nextConfig;