{"id":14483651,"url":"https://github.com/jagaapple/next-secure-headers","last_synced_at":"2025-04-12T18:50:19.572Z","repository":{"id":36316962,"uuid":"223368735","full_name":"jagaapple/next-secure-headers","owner":"jagaapple","description":"Sets secure response headers for Next.js.","archived":false,"fork":false,"pushed_at":"2022-08-21T13:17:48.000Z","size":605,"stargazers_count":320,"open_issues_count":14,"forks_count":14,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-03T22:07:23.589Z","etag":null,"topics":["csp","headers","nextjs","security"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jagaapple.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-22T09:26:27.000Z","updated_at":"2025-04-02T09:23:46.000Z","dependencies_parsed_at":"2022-08-08T14:02:28.423Z","dependency_job_id":null,"html_url":"https://github.com/jagaapple/next-secure-headers","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jagaapple%2Fnext-secure-headers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jagaapple%2Fnext-secure-headers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jagaapple%2Fnext-secure-headers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jagaapple%2Fnext-secure-headers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jagaapple","download_url":"https://codeload.github.com/jagaapple/next-secure-headers/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248618220,"owners_count":21134199,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csp","headers","nextjs","security"],"created_at":"2024-09-03T00:01:57.090Z","updated_at":"2025-04-12T18:50:19.548Z","avatar_url":"https://github.com/jagaapple.png","language":"TypeScript","readme":"\u003ch1 align=\"center\"\u003enext-secure-headers\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eā›‘ļø Sets secure response headers for Next.js. šŸŒ»\u003c/h4\u003e\n\n```js\n// /next.config.js\n\nmodule.exports = {\n async headers() {\n return [{\n source: \"/(.*)\",\n headers: createSecureHeaders({\n contentSecurityPolicy: {\n directives: {\n defaultSrc: \"'self'\",\n styleSrc: [\"'self'\", \"https://stackpath.bootstrapcdn.com\"],\n },\n },\n forceHTTPSRedirect: [true, { maxAge: 60 * 60 * 24 * 4, includeSubDomains: true }],\n referrerPolicy: \"same-origin\",\n })\n }];\n },\n};\n```\n\n\u003cdiv align=\"center\"\u003e\n\u003ca href=\"https://www.npmjs.com/package/next-secure-headers\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/next-secure-headers.svg\" alt=\"npm\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/jagaapple/next-secure-headers/actions?query=workflow%3A%22Build+and+test%22\"\u003e\u003cimg src=\"https://github.com/jagaapple/next-secure-headers/workflows/Build%20and%20test/badge.svg\" alt=\"GitHub Actions\"\u003e\u003c/a\u003e\n\u003ca href=\"https://codecov.io/gh/jagaapple/next-secure-headers\"\u003e\u003cimg src=\"https://img.shields.io/codecov/c/github/jagaapple/next-secure-headers.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\u003cimg src=\"https://img.shields.io/github/license/jagaapple/next-secure-headers.svg\" alt=\"license\"\u003e\u003c/a\u003e\n\u003ca href=\"https://twitter.com/jagaapple_tech\"\u003e\u003cimg src=\"https://img.shields.io/badge/contact-%40jagaapple_tech-blue.svg\" alt=\"@jagaapple_tech\"\u003e\u003c/a\u003e\n\u003c/div\u003e\n\n## Table of Contents\n\n\u003c!-- TOC depthFrom:2 --\u003e\n\n- [Table of Contents](#table-of-contents)\n- [Features](#features)\n - [Why use next-secure-headers instead of Helmet?](#why-use-next-secure-headers-instead-of-helmet)\n - [next-secure-headers vs Helmet](#next-secure-headers-vs-helmet)\n- [Quick Start](#quick-start)\n - [Requirements](#requirements)\n - [Installation](#installation)\n - [Setup](#setup)\n - [Use `createSecureHeaders` in `next.config.js` (RECOMMENDED)](#use-createsecureheaders-in-nextconfigjs-recommended)\n - [Use `withSecureHeaders` in page components](#use-withsecureheaders-in-page-components)\n- [Rules](#rules)\n - [`forceHTTPSRedirect`](#forcehttpsredirect)\n - [`frameGuard`](#frameguard)\n - [`noopen`](#noopen)\n - [`nosniff`](#nosniff)\n - [`xssProtection`](#xssprotection)\n - [`contentSecurityPolicy`](#contentsecuritypolicy)\n - [`expectCT`](#expectct)\n - [`referrerPolicy`](#referrerpolicy)\n- [API](#api)\n - [`createSecureHeaders`](#createsecureheaders)\n - [`withSecureHeaders`](#withsecureheaders)\n - [`createHeadersObject`](#createheadersobject)\n- [Recipes](#recipes)\n - [How to remove X-Powered-By header](#how-to-remove-x-powered-by-header)\n - [Overrides headers in a specific page using `withSecureHeaders`](#overrides-headers-in-a-specific-page-using-withsecureheaders)\n- [Contributing to next-secure-headers](#contributing-to-next-secure-headers)\n- [License](#license)\n\n\u003c!-- /TOC --\u003e\n\n\n## Features\n| FEATURES | WHAT YOU CAN DO |\n|-----------------------------|---------------------------------------------------------|\n| āš›ļø **Designed for Next.js** | Use for `next.config.js` or page components in `/pages` |\n| āœØ **Default applied rules** | Help your project even if you don't have knowledge |\n| šŸŽ© **Type Safe** | You can use with TypeScript |\n\n### Why use next-secure-headers instead of Helmet?\nnext-secure-headers is a similar to [Helmet](https://github.com/helmetjs/helmet), which sets HTTP response headers related to\nsecurity for Express.js.\n\nNext.js supports to be used in Node.js frameworks such as Express.js. So you can use Helmet with your Next.js project if you\ncreate a custom server, but the Next.js development team does not recommend a custom server.\nAlso, they are working to implement in order to be possible to use Next.js without a custom server. In fact, Next.js 9 supports\n[Dynamic Routing](https://github.com/zeit/next.js/#dynamic-routing), so we don't need to build a custom server in order to\nimplement it using such as [next-routes](https://github.com/fridays/next-routes), which requires a custom server.\n\n```js\n// /next.config.js\nconst { createSecureHeaders } = require(\"next-secure-headers\");\n\nmodule.exports = {\n async headers() {\n return [{ source: \"/(.*)\", headers: createSecureHeaders() }];\n },\n};\n```\n\nIf you want to use Helmet, it requires to use a custom server against a recommended way. To solve this problem, next-secure-headers\nwas born. next-secure-headers is built for Next.js project so that you can specify any headers in `next.config.js` or page\ncomponents.\n\n#### next-secure-headers vs Helmet\nThe following are rules next-secure-headers has and Helmet has. next-secure-headers is inspired by Helmet, but it doesn't have\nsome rules for some reason.\n\n| | next-secure-headers | Helmet | Comment |\n|-----------------------------------|-------------------------|-------------------------|---------------------------------------------------------------------------------------------------|\n| Strict-Transport-Security | `forceHTTPSRedirect` | `hsts` | |\n| X-Frame-Options | `frameGuard` | `frameguard` | |\n| X-Download-Options | `noopen` | `ieNoOpen` | |\n| X-Content-Type-Options | `nosniff` | `noSniff` | |\n| X-XSS-Protection | `xssProtection` | `xssFilter` | |\n| Content-Security-Policy | `contentSecurityPolicy` | `contentSecurityPolicy` | |\n| Expect-CT | `expectCT` | `expectCt` | |\n| Referrer-Policy | `referrerPolicy` | `referrerPolicy` | |\n| X-DNS-Prefetch-Control | - | `dnsPrefetchControl` | This has privacy implications but this improves performance. |\n| Feature-Policy | - | `featurePolicy` | Feature Policy improves security but it is working draft yet. |\n| X-Powered-By | - | `hidePoweredBy` | [Next.js supports to remove this header in `next.config.js`](#how-to-remove-x-powered-by-header). |\n| Related to cache | - | `nocache` | As Helmet said, caching has lots of benefits. |\n| X-Permitted-Cross-Domain-Policies | - | `crossdomain` | Adobe Flash is one of old web technologies. |\n\n\n## Quick Start\n### Requirements\n- npm or Yarn\n- Node.js 10.0.0 or higher\n- Next.js 8.0.0 or higher\n\n### Installation\n```bash\n$ npm install -D next-secure-headers\n```\n\nIf you are using Yarn, use the following command.\n\n```bash\n$ yarn add -D next-secure-headers\n```\n\n\u003e ā—ļø **For `withSecureHeaders` .**\n\u003e If you want to use `withSecureHeaders` , you have to install without `-D` option (i.e., installing as `dependencies` not\n\u003e `devDependencies` ).\n\n### Setup\nThere are two ways to specify headers.\nOne is to use `createSecureHeaders` in `next.config.js` , and another is to use `withSecureHeaders` in page components.\n\n#### Use `createSecureHeaders` in `next.config.js` (RECOMMENDED)\n\u003e ā—ļø **Next.js 9.5 or higher is required.**\n\u003e `headers` function has been supported since Next.js 9.5, so you have to use Next.js 9.5 or higher if you want to use this way.\n\n\u003e šŸ¤” **For Next.js 10 and I18n routes.**\n\u003e If your project uses Next.js 10 and built-in I18n routes, and you want to apply rules for all pages, you have to specify\n\u003e `\"/:path*\"` to `source` property instead of `\"/(.*)\"` .\n\u003e Conversely, if your project doesn't use I18n routes even if using Next.js 10, you have to specify `\"/(.*)\"` instead.\n\u003e These limitations are maybe bugs in Next.js .\n\nThis way uses `createSecureHeaders` function and [a built-in header configuration way by Next.js](https://nextjs.org/docs/api-reference/next.config.js/headers).\nThis is not required any servers, can be used in static pages, and can retain [Automatic Static Optimization](https://nextjs.org/docs/advanced-features/automatic-static-optimization).\nIf your project does not use any servers (using static pages or SSG) or you have just created a Next.js project, I recommend retaining static pages and adopting this way.\n\nImport `createSecureHeaders` from next-secure-headers and use it in `headers` async function in `next.config.js` .\n\n```js\n// /next.config.js\nconst { createSecureHeaders } = require(\"next-secure-headers\");\n\nmodule.exports = {\n async headers() {\n return [{ source: \"/(.*)\", headers: createSecureHeaders() }];\n },\n};\n```\n\nBy default, next-secure-headers applies some rules. If you want to enable or disable rules, you can give options to the first\nargument of the function.\n\n```js\nmodule.exports = {\n async headers() {\n return [{\n source: \"/(.*)\",\n headers: createSecureHeaders({\n contentSecurityPolicy: {\n directives: {\n defaultSrc: \"'self'\",\n styleSrc: [\"'self'\", \"https://stackpath.bootstrapcdn.com\"],\n },\n },\n forceHTTPSRedirect: [true, { maxAge: 60 * 60 * 24 * 4, includeSubDomains: true }],\n referrerPolicy: \"same-origin\",\n }),\n }];\n },\n};\n```\n\nAlso, you can configure different headers by URLs following [the official documents](https://nextjs.org/docs/api-reference/next.config.js/headers).\n\n#### Use `withSecureHeaders` in page components\n\u003e ā—ļø **Servers are required.**\n\u003e This way requires any servers because `withSecureHeaders` uses `getServerSideProps` of Next.js.\n\nUse an exported function for your Next.js application in `/pages/_app.tsx` . Also, you can use in any page components in\n`/pages/xxx.tsx` instead.\n\n```ts\n// /pages/_app.tsx\nimport { withSecureHeaders } from \"next-secure-headers\";\n\nclass Application extends App {\n ...\n}\n\nexport default withSecureHeaders()(Application);\n```\n\nBy default, next-secure-headers applies some rules. If you want to enable or disable rules, you can give options to the first\nargument of the function.\n\n```ts\nexport default withSecureHeaders({\n contentSecurityPolicy: {\n directives: {\n defaultSrc: \"'self'\",\n styleSrc: [\"'self'\", \"https://stackpath.bootstrapcdn.com\"],\n },\n },\n forceHTTPSRedirect: [true, { maxAge: 60 * 60 * 24 * 4, includeSubDomains: true }],\n referrerPolicy: \"same-origin\",\n})(Application);\n```\n\n\n## Rules\n### `forceHTTPSRedirect`\n```ts\n{\n forceHTTPSRedirect: boolean | [true, Partial\u003c{ maxAge: number; includeSubDomains: boolean; preload: boolean }\u003e];\n}\n```\n\n| Default Value | MDN |\n|--------------------------------|-------------------------------------------------------------------------------|\n| `[true, { maxAge: 63072000 }]` | https://developer.mozilla.org/docs/Web/HTTP/Headers/Strict-Transport-Security |\n\nThis is to set \"Strict-Transport-Security (HSTS)\" header and it's to prevent man-in-the-middle attacks during redirects from\nHTTP to HTTPS. To enable this is highly recommended if you use HTTPS (SSL) on your servers.\n\nYou can give `true` if you want to enable this rule, or you can specify options by giving `[true, OPTION_OBJECT]` . By default,\nthis sets `max-age` to two years (63,072,000 seconds).\n\n### `frameGuard`\n```ts\n{\n frameGuard: false | \"deny\" | \"sameorigin\" | [\"allow-from\", { uri: string | URL }];\n}\n```\n\n| Default Value | MDN |\n|---------------|---------------------------------------------------------------------|\n| `\"deny\"` | https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Frame-Options |\n\nThis is to set \"X-Frame-Options\" header and it's to prevent clickjacking attacks. `\"deny\"` is highly recommended if you don't\nuse frame elements such as `iframe` .\n\n### `noopen`\n```ts\n{\n noopen: false | \"noopen\";\n}\n```\n\n| Default Value | MDN |\n|---------------|------------------------------------------------------------------------|\n| `\"noopen\"` | https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Download-Options |\n\nThis is to set \"X-Download-Options\" header and it's to prevent to open downloaded files automatically for IE8+ (MIME Handling\nattacks).\n\n### `nosniff`\n```ts\n{\n nosniff: false | \"nosniff\";\n}\n```\n\n| Default Value | MDN |\n|---------------|----------------------------------------------------------------------------|\n| `\"nosniff\"` | https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Content-Type-Options |\n\nThis is to set \"X-Content-Type-Options\" header and it's to prevent MIME Sniffing attacks.\n\n### `xssProtection`\n```ts\n{\n xssProtection: false | \"sanitize\" | \"block-rendering\" | [\"report\", { uri: string | URL }];\n}\n```\n\n| Default Value | MDN |\n|---------------|----------------------------------------------------------------------|\n| `\"sanitize\"` | https://developer.mozilla.org/docs/Web/HTTP/Headers/X-XSS-Protection |\n\nThis is to set \"X-XSS-Protection\" header and it's to prevent XSS attacks.\n\nIf you specify `\"sanitize\"` , this sets the header to `\"1\"` and browsers will sanitize unsafe area. If you specify\n`\"block-rendering\"` , this sets the header to `\"1; mode=block\"` and browsers will block rendering a page. \"X-XSS-Protection\"\nblocks many XSS attacks, but Content Security Policy is recommended to use compared to this.\n\n### `contentSecurityPolicy`\n```ts\n{\n contentSecurityPolicy:\n | false\n | {\n directives:\n \u0026 Partial\u003c{\n childSrc: string | string[];\n connectSrc: string | string[];\n defaultSrc: string | string[];\n fontSrc: string | string[];\n frameSrc: string | string[];\n imgSrc: string | string[];\n manifestSrc: string | string[];\n mediaSrc: string | string[];\n prefetchSrc: string | string[];\n objectSrc: string | string[];\n scriptSrc: string | string[];\n scriptSrcElem: string | string[];\n scriptSrcAttr: string | string[];\n styleSrc: string | string[];\n styleSrcElem: string | string[];\n styleSrcAttr: string | string[];\n workerSrc: string | string[];\n }\u003e\n \u0026 Partial\u003c{\n baseURI: string | string[];\n pluginTypes: string | string[];\n sandbox:\n | true\n | \"allow-downloads-without-user-activation\"\n | \"allow-forms\"\n | \"allow-modals\"\n | \"allow-orientation-lock\"\n | \"allow-pointer-lock\"\n | \"allow-popups\"\n | \"allow-popups-to-escape-sandbox\"\n | \"allow-presentation\"\n | \"allow-same-origin\"\n | \"allow-scripts\"\n | \"allow-storage-access-by-user-activation\"\n | \"allow-top-navigation\"\n | \"allow-top-navigation-by-user-activation\";\n }\u003e\n \u0026 Partial\u003c{\n formAction: string | string[];\n frameAncestors: string | string[];\n navigateTo: string | string[];\n reportURI: string | URL | (string | URL)[];\n reportTo: string;\n }\u003e;\n reportOnly?: boolean;\n };\n}\n```\n\n| Default Value | MDN |\n|---------------|-----------------------------------------------------------------------------|\n| `false` | https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy |\n\nThis is to set \"Content-Security-Policy\" or \"Content-Security-Policy-Report-Only\" header and it's to prevent to load and execute\nnon-allowed resources.\n\nIf you give true to `reportOnly` , this sets \"Content-Security-Policy-Report-Only\" to value instead of \"Content-Security-Policy\".\n\nAlso you can specify directives using chain-case names such as `child-src` instead of `childSrc` .\n\n\u003e **ā—ļø When setting `frameAncestors` :X-Frame-Options takes priority.**\n\u003e [Section \"Relation to X-Frame-Options\" of the CSP Spec](https://w3c.github.io/webappsec-csp/#frame-ancestors-and-frame-options) says: _\"If a resource is delivered with a policy that includes a directive named frame-ancestors and whose disposition is \"enforce\", then the X-Frame-Options header MUST be ignored\"_, but Chrome 40 \u0026 Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.\n\u003e \n\u003e Therefore, if setting `frameAncestors` you should set `frameGuard` to `false`.\n\n### `expectCT`\n```ts\n{\n expectCT: boolean | [true, Partial\u003c{ maxAge: number; enforce: boolean; reportURI: string | URL }\u003e];\n}\n```\n\n| Default Value | MDN |\n|---------------|---------------------------------------------------------------|\n| `false` | https://developer.mozilla.org/docs/Web/HTTP/Headers/Expect-CT |\n\nThis is to set \"Expect-CT\" header and it's to tell browsers to expect Certificate Transparency.\n\n### `referrerPolicy`\n```ts\n{\n referrerPolicy:\n | false\n | \"no-referrer\" | \"no-referrer-when-downgrade\" | \"origin\" | \"origin-when-cross-origin\" | \"same-origin\" | \"strict-origin\" | \"strict-origin-when-cross-origin\"\n | (\"no-referrer\" | \"no-referrer-when-downgrade\" | \"origin\" | \"origin-when-cross-origin\" | \"same-origin\" | \"strict-origin\" | \"strict-origin-when-cross-origin\")[];\n}\n```\n\n| Default Value | MDN |\n|---------------|---------------------------------------------------------------------|\n| `false` | https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy |\n\nThis is to set \"Referrer-Policy\" header and it's to prevent to be got referrer by other servers. You can specify one or more\nvalues for legacy browsers which does not support a specific value.\n\n\n## API\n### `createSecureHeaders`\n```ts\nimport { createSecureHeaders } from \"next-secure-headers\";\n\ncreateSecureHeaders({ referrerPolicy: \"same-origin\" });\n// [\n// {\n// key: \"Referrer-Policy\",\n// value: \"same-origin\",\n// },\n// ]\n```\n\n`createSecureHeaders` is a function to return headers as object following a format like `{ key, value }` .\n\n```ts\ncreateSecureHeaders(OPTIONS);\n```\n\nThe first argument accepts options for rules.\n\n### `withSecureHeaders`\n```ts\nimport { withSecureHeaders } from \"next-secure-headers\";\n\nexport default withSecureHeaders({ referrerPolicy: \"same-origin\" })(Page);\n```\n\n`withSecureHeaders` is a HOC to specify headers using `getServerSideProps` . You can use this function for application\n( `/pages/_app.tsx` ) and page components ( `/pages/xxx.tsx` ). **THIS IS NOT AVAILBLE IN `next.config.js` .**\n\n```ts\nwithSecureHeaders(OPTIONS)(APPLICATION_OR_COMPONENT);\n```\n\nThe first argument accepts options for rules, and the argument of the returned function accepts application or page components.\nThe returned value is a new React component.\n\n### `createHeadersObject`\n```ts\nimport { createHeadersObject } from \"next-secure-headers\";\n\ncreateHeadersObject({ referrerPolicy: \"same-origin\" });\n// {\n// \"Referrer-Policy\": \"same-origin\",\n// }\n```\n\n`createHeadersObject` is a function to return headers as object.\n\n```ts\ncreateHeadersObject(OPTIONS);\n```\n\nThe first argument accepts options for rules.\n\n\n## Recipes\n### How to remove X-Powered-By header\nIn general, X-Powered-By HTTP response header should be removed from response headers because it helps hackers to get the server\ninformation.\n\nnext-secure-headers does not support to remove X-Powered-By header, but Next.js supports to do.\n\n```ts\n// next.config.js\nmodule.exports = {\n poweredByHeader: false,\n};\n```\n\nIf you give false to `poweredByHeader` in `next.config.js` , Next.js removes the header from response headers.\n\n### Overrides headers in a specific page using `withSecureHeaders`\n```ts\n// /pages/_app.tsx\nexport default withSecureHeaders({ referrerPolicy: \"same-origin\" })(Application);\n\n// /pages/about.tsx\nexport default withSecureHeaders({ referrerPolicy: \"no-referrer-when-downgrade\" })(Page);\n// But actually the server responds \"same-origin\"...\n```\n\nnext-secure-headers does not support to override response headers in child page components because of being restricted by Next.js\narchitecture.\n\n```ts\n// /config/secure-headers.ts\nimport { withSecureHeaders } from \"next-secure-headers\";\n\nexport const secureHeadersDefaultOption: Parameters\u003ctypeof withSecureHeaders\u003e[0] = {\n referrerPolicy: \"same-origin\",\n};\n\n// /pages/_app.tsx\nimport { secureHeadersDefaultOption } from \"../config/secure-headers\";\n\nexport default withSecureHeaders(secureHeadersDefaultOption)(Application);\n\n// /pages/about.tsx\nexport default withSecureHeaders({\n ...secureHeadersDefaultOption,\n referrerPolicy: \"no-referrer-when-downgrade\",\n})(Page);\n```\n\nTo solve this, you should define the option as one module, then you should import and merge the object.\n\n\n## Contributing to next-secure-headers\nBug reports and pull requests are welcome on GitHub at\n[https://github.com/jagaapple/next-secure-headers](https://github.com/jagaapple/next-secure-headers). This project\nis intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the\n[Contributor Covenant](http://contributor-covenant.org) code of conduct.\n\nPlease read [Contributing Guidelines](./.github/CONTRIBUTING.md) before development and contributing.\n\n\n## License\nThe library is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).\n\nCopyright 2020 Jaga Apple. All rights reserved.\n","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjagaapple%2Fnext-secure-headers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjagaapple%2Fnext-secure-headers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjagaapple%2Fnext-secure-headers/lists"}