Describe the feature you'd like to request

Next.js provides the ability to set custom headers, but you need to do the research to understand which security headers should be included to secure your site. It would be great if Next.js had sensible defaults that users could override or disable if not needed. This would provide more security out of the box.

Describe the solution you'd like

By default, we should we some (or all) of the security headers listed in this tweet: https://twitter.com/leeerob/status/1381605537742254082.

We should also generate a least privilege CSP. This will require adding documentation as well, so folks understand why these have been added, what they do, and how to turn them off.

Describe alternatives you've considered

Manually adding security headers in next.config.js. Currently, we have added documentation with some recommendation for headers to add: https://nextjs.org/docs/advanced-features/security-headers

Resources

• https://securityheaders.com
• https://observatory.mozilla.org/
• One community solution

_NEXT-1376