From f44cf1a5f6f910b09d429123bd5df007dec455c9 Mon Sep 17 00:00:00 2001 From: DanielS Date: Thu, 25 Jun 2026 15:49:40 +0200 Subject: [PATCH] sec: Add HTTP security headers and disable X-Powered-By header based on ZAP report --- shop/next.config.ts | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/shop/next.config.ts b/shop/next.config.ts index d79f1fc..f3d41f1 100644 --- a/shop/next.config.ts +++ b/shop/next.config.ts @@ -3,6 +3,32 @@ import type { NextConfig } from "next"; const nextConfig: NextConfig = { output: "standalone", cacheComponents: false, + poweredByHeader: false, + async headers() { + return [ + { + source: '/:path*', + headers: [ + { + key: 'X-Frame-Options', + value: 'SAMEORIGIN', + }, + { + key: 'X-Content-Type-Options', + value: 'nosniff', + }, + { + key: 'Strict-Transport-Security', + value: 'max-age=31536000; includeSubDomains; preload', + }, + { + key: 'Content-Security-Policy', + value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self' data:; connect-src 'self' https://*.supabase.co wss://*.supabase.co https://*.supabase.net wss://*.supabase.net; frame-ancestors 'self';", + }, + ], + }, + ]; + }, }; export default nextConfig;