next-safe allows you to configure every header that it generates. Most config options may be set to false to disable the feature. Here are the default values for all config options.
next-safe
false
nextSafe({ contentTypeOptions: "nosniff", contentSecurityPolicy: { "base-uri": "'none'", "child-src": "'none'", "connect-src": "'self'", "default-src": "'self'", "font-src": "'self'", "form-action": "'self'", "frame-ancestors": "'none'", "frame-src": "'none'", "img-src": "'self'", "manifest-src": "'self'", "media-src": "'self'", "object-src": "'none'", "prefetch-src": "'self'", "script-src": "'self'", "style-src": "'self'", "worker-src": "'self'", mergeDefaultDirectives: false, reportOnly: false, }, frameOptions: "DENY", permissionsPolicy: {}, permissionsPolicyDirectiveSupport: ["proposed", "standard"], isDev: false, referrerPolicy: "no-referrer", xssProtection: "1; mode=block", })
For more information on each of these options, check out their documentation:
contentSecurityPolicy
contentTypeOptions
frameOptions
isDev
permissionsPolicy
permissionsPolicyDirectiveSupport
xssProtection
Last updated 1 year ago