{"id":14483567,"url":"https://github.com/Baroshem/next-security","last_synced_at":"2025-08-30T04:31:36.883Z","repository":{"id":184304964,"uuid":"671078691","full_name":"Baroshem/next-security","owner":"Baroshem","description":"🛡 Security plugin for Next.js based on OWASP and Helmet","archived":false,"fork":false,"pushed_at":"2023-10-25T06:06:52.000Z","size":295,"stargazers_count":25,"open_issues_count":15,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-29T21:41:05.302Z","etag":null,"topics":["basicauthentication","cors","csrf","ddos","headers","helmet","nextjs","owasp","rate-limiting","security","xss"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Baroshem.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-26T13:44:36.000Z","updated_at":"2025-06-02T22:32:17.000Z","dependencies_parsed_at":"2024-09-03T00:06:17.475Z","dependency_job_id":"64d83840-7a2d-4b6f-b38a-aaaf37621ec6","html_url":"https://github.com/Baroshem/next-security","commit_stats":null,"previous_names":["baroshem/next-security"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/Baroshem/next-security","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Baroshem%2Fnext-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Baroshem%2Fnext-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Baroshem%2Fnext-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Baroshem%2Fnext-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Baroshem","download_url":"https://codeload.github.com/Baroshem/next-security/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Baroshem%2Fnext-security/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272805349,"owners_count":24995909,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-30T02:00:09.474Z","response_time":77,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["basicauthentication","cors","csrf","ddos","headers","helmet","nextjs","owasp","rate-limiting","security","xss"],"created_at":"2024-09-03T00:01:52.351Z","updated_at":"2025-08-30T04:31:36.531Z","avatar_url":"https://github.com/Baroshem.png","language":"TypeScript","readme":"# next-security\n\n[![npm version][npm-version-src]][npm-version-href]\n[![npm downloads][npm-downloads-src]][npm-downloads-href]\n[![Github Actions CI][github-actions-ci-src]][github-actions-ci-href]\n[![License][license-src]][license-href]\n\n\u003e Security plugin for Next.js based on [OWASP Top 10](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#nodejs-security-cheat-sheet) and [helmet](https://helmetjs.github.io/) that adds security response headers.\n\n- [👾 \u0026nbsp;Playground](https://stackblitz.com/github/baroshem/next-security?file=.stackblitz%2Fnext.config.js)\n\n## Features\n\n- No configuration security headers similar to Helmet.js\n- Customization of all header values\n- `[Coming soon]` Content Security Policy (CSP) for SSG apps\n- `[Coming soon]` Request Size limiter\n- `[Coming soon]` Cross Site Scripting (XSS) Validation\n- `[Coming soon]` Cross-Origin Resource Sharing (CORS) support\n- `[Coming soon]` `[Optional]` Allowed HTTP Methods, Basic Auth, CSRF, Rate Limiter\n\n## Usage\n\nInstall the plugin:\n\n```sh\nnpm i next-security\nyarn add next-security\npnpm add next-security\n```\n\nAdd the plugin to the `next.config.js` like following :\n\n```js\n/** @type {import('next').NextConfig} */\nconst { headers } = require('next-security');\nconst nextConfig = {\n  ...headers(), // with this approach you will also hide the `X-Powered-By` header that is a good pattern\n};\n\nmodule.exports = nextConfig;\n```\n\nOr, if you want to have more control over the source for the headers:\n\n```js\n/** @type {import('next').NextConfig} */\nconst { createHeaders } = require('next-security');\nconst nextConfig = {\n  async headers() {\n    return [\n      {\n        source: '/(.*)',\n        headers: createHeaders(),\n      },\n    ];\n  },\n  // poweredByHeader: false // you can add this manually\n};\n\nmodule.exports = nextConfig;\n```\n\nAnd that's it! The plugin will now register security response headers so that your application will be more secure.\n\nIf you inspect the headers that are being returned by the Next application in the browser, you should see the following result:\n\n```md\ncross-origin-resource-policy: same-origin\ncross-origin-opener-policy: same-origin\ncross-origin-embedder-policy: require-corp\ncontent-security-policy: base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests\norigin-agent-cluster: ?1\nreferrer-policy: no-referrer\nstrict-transport-security: max-age=15552000; includeSubDomains\nx-content-type-options: nosniff\nx-dns-prefetch-control: off\nx-download-options: noopen\nx-frame-options: SAMEORIGIN\nx-permitted-cross-domain-policies: none\nx-xss-protection: 0\npermissions-policy: camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=()\n```\n\n## Configuration\n\nYou can pass configuration to the plugin like following:\n\n```js\n/** @type {import('next').NextConfig} */\nconst { headers } = require('next-security');\nconst nextConfig = {\n  ...headers({\n    xXSSProtection: '1',\n    crossOriginResourcePolicy: 'cross-origin',\n    contentSecurityPolicy: false,\n  }),\n};\n\nmodule.exports = nextConfig;\n```\n\n[npm-version-src]: https://img.shields.io/npm/v/next-security/latest.svg\n[npm-version-href]: https://npmjs.com/package/next-security\n[npm-downloads-src]: https://img.shields.io/npm/dt/next-security.svg\n[npm-downloads-href]: https://npmjs.com/package/next-security\n[github-actions-ci-src]: https://github.com/baroshem/next-security/actions/workflows/ci.yml/badge.svg\n[github-actions-ci-href]: https://github.com/baroshem/next-security/actions?query=workflow%3Aci\n[license-src]: https://img.shields.io/npm/l/next-security.svg\n[license-href]: https://npmjs.com/package/next-security\n","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBaroshem%2Fnext-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FBaroshem%2Fnext-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBaroshem%2Fnext-security/lists"}