Security Headers
HTTP security header configuration for Next.js including Content Security Policy, CORS, cache control, and permissions policy.
What's Included#
- Next.js headers configuration (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- Content Security Policy builder with configurable directives
- Nonce-based inline script support via middleware
- CORS configuration with origin allowlisting
- Cache control headers for sensitive vs public data
- Permissions-Policy to disable unused browser features
Usage#
Via CLI#
Loading code block...
Via AI Assistant#
Ask your AI assistant:
- "Use the security headers pattern from Bootspring"
- "Apply the Bootspring security headers pattern to my project"
Key Considerations#
- Start with restrictive policies and loosen only as needed
- Use nonces for inline scripts instead of unsafe-inline when possible
- Test thoroughly since security headers can break third-party integrations
- Monitor CSP violations using report-uri to catch issues early
- Submit your domain to the HSTS preload list for maximum transport security
Related Patterns#
- CSRF Protection - Cross-site request forgery prevention
- Input Validation - Validate all user input
- API Middleware - Request middleware patterns
- Rate Limiting - Protect against abuse