flowCreate.solutions

Headers & CSP (Frontend Standard)

This document defines the baseline security headers posture for Next.js frontends.

Projects should implement a baseline set of headers appropriate to their UX and embedding requirements.

At minimum, consider:

  • Referrer-Policy
  • X-Content-Type-Options: nosniff
  • X-Frame-Options or CSP frame-ancestors (prefer CSP when possible)
  • Permissions-Policy
  • Strict-Transport-Security (HSTS; production only, after confirming HTTPS everywhere)
  • A Content Security Policy (CSP) appropriate to the project

CSP policy (standard approach)

Policy goals:

  • prevent inline script execution unless explicitly required
  • constrain script/image/connect sources to known hosts
  • prevent clickjacking via frame-ancestors

Rule: CSP is project-specific and must be documented in the project repo, but the standards require teams to treat CSP as a first-class security control.

Where to configure

Acceptable approaches (project chooses; document it):

  • Next.js headers() configuration
  • Middleware
  • Reverse proxy / edge config (if the deployment platform provides it)

Don’ts

  • Don’t disable CSP “to make something work” without a documented threat review.
  • Don’t allow * for script-src/connect-src unless there is a documented, reviewed reason.