NEXTJS_MISSING_SECURITY_HEADERS

Requires that security headers are set correctly for Next.js apps and contain valid directives.
Table of Contents

Conformance is available on Enterprise plans

Security headers are important to set to improve the security of your application. Security headers can be set for all routes in [next.config.js files] (https://nextjs.org/docs/advanced-features/security-headers). This conformance check requires that the security headers are set and use a valid value.

Required headers:

  • Content-Security-Policy
  • Strict-Transport-Security
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
Conformance errors found!
 
A Conformance error occurred in test "NEXTJS_MISSING_SECURITY_HEADERS".
 
The security header "Strict-Transport-Security" is not set correctly. The "includeSubDomains" directive should be used in conjunction with the "preload" directive.
 
To find out more information and how to fix this error, visit
/docs/workflow-collaboration/conformance/rules/NEXTJS_MISSING_SECURITY_HEADERS.
 
If this violation should be ignored, add the following entry to
/apps/docs/.allowlists/NEXTJS_MISSING_SECURITY_HEADERS.allowlist.json
and get approval from the appropriate person.
 
{
  "testName": "NEXTJS_MISSING_SECURITY_HEADERS",
  "reason": "TODO: Add reason why this violation is allowed to be ignored.",
  "location": {
    "workspace": "docs"
  },
  "details": {
    "header": "Strict-Transport-Security"
  }
}

Follow the Next.js security headers documentation to fix this Conformance test. That document will walk through each of the headers and also links to further documentation to understand what the headers do and how to set the best values for your application.

Last updated on July 23, 2024