Added security headers to prevent clickjacking on sign in (#1068)

Klakurka · chedieck · web-flow · commit 9acfa66856aa · 2025-10-17T20:06:20.000-07:00
* Added security headers.

* refactor: stricter policy

* fix: contradicting policy

* refactor: reident

* refactor: nit

---------

Co-authored-by: Estevão &lt;estevao@chedieck.com&gt;
diff --git a/next.config.js b/next.config.js
@@ -1,45 +1,56 @@
 const paybuttonConfig = require('./paybutton-config.json')
 
 const {
-    PHASE_DEVELOPMENT_SERVER,
-    PHASE_PRODUCTION_BUILD,
-    PHASE_PRODUCTION_SERVER,
-  } = require('next/constants')
-  
-  // This uses phases as outlined here: https://nextjs.org/docs/#custom-configuration
-  module.exports = (phase) => {
-    // when started in development mode `next dev` or `npm run dev` regardless of the value of STAGING environmental variable
-    const isDev = phase === PHASE_DEVELOPMENT_SERVER
-    // when `next build` or `npm run build` is used
-    const isBuild = phase === PHASE_PRODUCTION_BUILD && process.env.STAGING !== '1'
-    // when `next start` or `npm run start` is used
-    const isProd = phase === PHASE_PRODUCTION_SERVER
-    // when `next build` or `npm run build` is used
-    const isStaging =
-      phase === PHASE_PRODUCTION_BUILD && process.env.STAGING === '1'
-  
-    const branch = process.env.BRANCH || 'master'
-    console.log(`branch: ${branch}\nisDev:${isDev}  isBuild:${isBuild}  isProd:${isProd}  isStaging:${isStaging}`)
-  
-    return {
-      outputFileTracing: true,
-      eslint: {
-        ignoreDuringBuilds: true
-      },
-      typescript: {
-        ignoreBuildErrors: true
-      },
-      async rewrites() {
-        return [
-          {
-            source: '/:path*',
-            destination: '/:path*',
-          },
-          {
-            source: '/:path*',
-            destination: `/api/:path*`,
-          },
-        ]
-      },
-    }
+  PHASE_DEVELOPMENT_SERVER,
+  PHASE_PRODUCTION_BUILD,
+  PHASE_PRODUCTION_SERVER,
+} = require('next/constants')
+
+// This uses phases as outlined here: https://nextjs.org/docs/#custom-configuration
+module.exports = (phase) => {
+  // when started in development mode `next dev` or `npm run dev` regardless of the value of STAGING environmental variable
+  const isDev = phase === PHASE_DEVELOPMENT_SERVER
+  // when `next build` or `npm run build` is used
+  const isBuild = phase === PHASE_PRODUCTION_BUILD && process.env.STAGING !== '1'
+  // when `next start` or `npm run start` is used
+  const isProd = phase === PHASE_PRODUCTION_SERVER
+  // when `next build` or `npm run build` is used
+  const isStaging =
+    phase === PHASE_PRODUCTION_BUILD && process.env.STAGING === '1'
+
+  const branch = process.env.BRANCH || 'master'
+  console.log(`branch: ${branch}\nisDev:${isDev}  isBuild:${isBuild}  isProd:${isProd}  isStaging:${isStaging}`)
+
+  return {
+    outputFileTracing: true,
+    eslint: {
+      ignoreDuringBuilds: true
+    },
+    typescript: {
+      ignoreBuildErrors: true
+    },
+    async headers () {
+      return [
+        {
+          source: '/(.*)',
+          headers: [
+            { key: 'X-Frame-Options', value: 'DENY' },
+            { key: 'Content-Security-Policy', value: "frame-ancestors 'none'" },
+          ],
+        },
+      ]
+    },
+    async rewrites () {
+      return [
+        {
+          source: '/:path*',
+          destination: '/:path*',
+        },
+        {
+          source: '/:path*',
+          destination: `/api/:path*`,
+        },
+      ]
+    },
   }
+}
