NEXTJS_MISSING_SECURITY_HEADERS
Requires that security headers are set correctly for Next.js apps and contain valid directives.Table of Contents
Conformance is available on Enterprise plans
Security headers are important to set to improve the security of your application.
Security headers can be set for all routes in [next.config.js
files]
(https://nextjs.org/docs/advanced-features/security-headers). This
conformance check requires that the security headers are set and use a valid
value.
Required headers:
- Content-Security-Policy
- Strict-Transport-Security
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
Conformance errors found!
A Conformance error occurred in test "NEXTJS_MISSING_SECURITY_HEADERS".
The security header "Strict-Transport-Security" is not set correctly. The "includeSubDomains" directive should be used in conjunction with the "preload" directive.
To find out more information and how to fix this error, visit
/docs/workflow-collaboration/conformance/rules/NEXTJS_MISSING_SECURITY_HEADERS.
If this violation should be ignored, add the following entry to
/apps/docs/.allowlists/NEXTJS_MISSING_SECURITY_HEADERS.allowlist.json
and get approval from the appropriate person.
{
"testName": "NEXTJS_MISSING_SECURITY_HEADERS",
"reason": "TODO: Add reason why this violation is allowed to be ignored.",
"location": {
"workspace": "docs"
},
"details": {
"header": "Strict-Transport-Security"
}
}
Follow the Next.js security headers documentation to fix this Conformance test. That document will walk through each of the headers and also links to further documentation to understand what the headers do and how to set the best values for your application.
Last updated on July 23, 2024
Was this helpful?