Feature: Security Headers
Purpose
- Feature name: Security headers
- Why this feature exists: Reduce browser attack surface and enforce safe content execution.
Scope
In scope
- CSP enforcement with nonces
- X-Frame-Options and X-Content-Type-Options
- referrer and permissions policies
Out of scope
- dependency scanning (covered in supply chain features)
- secrets scanning (covered in secrets hygiene)
- security headers configured in the app
- CSP nonce handling enabled
Procedure / Content
Feature summary
- Feature name: Security headers
- Feature group: Security posture and hardening
- Technical summary: Sets strict security headers and CSP to reduce XSS and clickjacking risk.
- Low-tech summary: Adds browser safety rules to block unsafe scripts and framing.
Feature in action
- Where to see it working: Any deployed route, inspect response headers.
Confirmation Process
Manual
- Steps: Run
curl -I against a deployed URL and inspect headers.
- What to look for: CSP present, X-Frame-Options and X-Content-Type-Options set, referrer policy set.
- Artifacts or reports to inspect: Deployment logs or header validation output.
Tests
- CSP missing or too permissive.
- Inline scripts blocked due to missing nonce configuration.
Long-term maintenance notes
- Review CSP quarterly and after adding scripts.
- Re-verify header values after framework upgrades.
- Next.js App Router
- React
- Helmet-like header configuration
Source code references (GitHub URLs)
ADRs
Runbooks
Additional internal references
External reference links
Validation / Expected outcomes
- Security headers present on all routes.
- CSP enforces script and style sources.
Failure modes / Troubleshooting
- Missing headers: confirm configuration and redeploy.
- CSP violations: update nonce strategy or CSP directives.
References