HTTP Security Headers
Assemble Web applies HTTP security headers to every response via the middleware.ts file. The headers differ between development and production environments to balance strict security with a comfortable developer experience.
Configuration Location
All security headers are defined in middleware.ts, which uses the constants.ts SECURITY_HEADERS value to define certain configurable values.
Middleware implementation follows Recommended nonce CSP defined within the Next.js Documentation value together with other security headers such as:
X-Frame-OptionsX-Content-Type-OptionsReferrer-PolicyPermissions-PolicyStrict-Transport-Security
Implementation allows developers to set CONTENT_SECURITY_POLICY_REPORT_ONLY environment variable to allow changing from Content-Security-Policy to Content-Security-Policy-Report-Only so you can fix issues without blocking the application.
Provider Arrays
Before the headers are built, four arrays from the SECURITY_HEADERS.CSP define the allowed external origins. These are the primary lists to update when a new third-party service is integrated.
| Array | CSP directive it feeds | Purpose |
|---|---|---|
providers | connect-src | REST/WebSocket endpoints (APIs, telemetry) |
media | media-src | Video/audio asset CDNs |
script | script-src | Allowed external script origins |
image | img-src | Image proxy / CDN hosts |
Headers Reference
Development vs. Production
The middleware checks process.env.NODE_ENV === 'development' and returns a relaxed policy set in development or a strict one in production.
How to Update for a New Project
1. Adding a new API or WebSocket origin
Add the URL to the providers array:
providers: [
// … existing entries …
'https://api.my-new-service.com',
'wss://realtime.my-new-service.com',
];
2. Adding a new video/audio CDN
Add the CDN origin to media:
media: [
// … existing entries …
'https://cdn.my-video-provider.com',
];
3. Adding an external script (e.g., analytics or monitoring)
Add the script origin to script:
script: [
// … existing entries …
'https://cdn.analytics-provider.com',
];
4. Adding an image CDN
Add the CDN origin to SECURITY_HEADERS.CSP.image, and also add its hostname to images.remotePatterns in next.config so the Next.js <Image> component can load images from that host:
image: [
// … existing entries …
'https://images.my-cdn.com',
];
// Also update the Next.js images config:
images: {
remotePatterns: [
{ hostname: 'image-proxy.ps.accedo.tv' },
{ hostname: 'cdn.one.accedo.tv' },
{ hostname: 'images.my-cdn.com' }, // ← add here too
],
};
Some unknown value are set using http: as per definition (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#host-source) When matching schemes, secure upgrades are allowed.
Keep providers, media, script, and image as specific as possible. Wildcard subdomains (*.example.com) are acceptable when the subdomain space is controlled by a trusted party, but avoid overly broad patterns like https: or *.
Verifying Headers in the Browser
- Open DevTools → Network tab.
- Reload the page and select the main document request.
- Check the Response Headers panel for the headers listed above.