Add security headers to next.config.js

[Ayush-Patel-56]

Problem

The app has no HTTP security headers. No X-Frame-Options, no content type sniffing protection, nothing. Basic hardening for any production app.

Fix

Add headers in next.config.js:

async headers() {
  return [{
    source: '/(.*)',
    headers: [
      { key: 'X-Frame-Options', value: 'DENY' },
      { key: 'X-Content-Type-Options', value: 'nosniff' },
      { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
      { key: 'Permissions-Policy', value: 'camera=(), microphone=()' },
    ],
  }];
}

CSP can be a follow-up since it needs more tuning - start with these safe ones.

[Suriya29-2006]

Hi, @Ayush-Patel-56
I’d like to work on this issue for GSSoC 2026. I can add the recommended HTTP security headers in next.config.js and verify they are applied correctly. Please assign this issue to me.

[omkartike]

i would like to work on this under nsoc can you assign me and add a nsoc lable . i think previous assignee is not working on it

[ash1shkumar]

Hi @Ayush-Patel-56

I’d like to work on this issue under GSSoC & NSOC. I’ve already contributed to this repository before, so I’m familiar with the codebase and can implement the required HTTP security headers quickly and properly test them.

Please assign this issue to me.