[FEATURE] add HTTP security headers

[Nandhu2004]

Feature Description

Add HTTP security headers to the application via the headers() function in next.config.ts.

Problem It Solves

Currently, the app sends no HTTP security headers, leaving it vulnerable to common web attacks such as:

• Clickjacking — the site can be embedded in iframes on malicious pages
• MIME sniffing — browsers may misinterpret response content types
• Excessive data leakage — referrer headers expose more info than needed

Proposed Solution

Update next.config.ts to include an async headers() function that applies the following headers to all routes (/(.*)):

• X-Frame-Options: SAMEORIGIN — prevents clickjacking
• X-Content-Type-Options: nosniff — stops MIME sniffing
• Referrer-Policy: strict-origin-when-cross-origin — limits referrer leakage
• Permissions-Policy — disables unused browser APIs (camera, mic, geolocation)
• X-DNS-Prefetch-Control: on — allows DNS prefetching for performance

---

I'd like to work on this as part of GSSoC 26. Could a maintainer please assign this issue to me?

[krishsoni-hub]

Hi @pushkarscripts , I would absolutely love to be assigned to this backend security task! Implementing HTTP security headers is a crucial step to harden the application against common web vulnerabilities. Here is my step-by-step execution plan for #273:

• Step 1: Integrate a secure header middleware (such as Helmet) into the global backend routing architecture to automatically inject baseline protective headers.
• Step 2: Configure a strict Content Security Policy (CSP) header to tightly restrict the execution of unauthorized scripts, style injections, and external resource fetches.
• Step 3: Implement the Strict-Transport-Security (HSTS) header to enforce secure HTTPS connections over specified domains and subdomains.
• Step 4: Deploy anti-clickjacking and privacy headers including X-Frame-Options, X-Content-Type-Options, and a strict Referrer-Policy.
• Step 5: Perform comprehensive unit and route testing to verify that all response headers attach properly without disrupting legitimate frontend client assets.

Could you please assign this issue to me? Ready to deliver a clean, production-ready security patch! Thanks. #gssoc2026

[karrisanthoshigayatri]

Hi @pushkarscripts ,
I would like to work on this issue under GSSoC 2026 if it is still available.

I have reviewed the requirements and can implement the required HTTP security headers through the headers() function in next.config.ts, including X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and X-DNS-Prefetch-Control. I will also verify that the changes work correctly across all routes without affecting existing functionality.

Kindly consider assigning this issue to me if it remains unassigned.

Thank you!

[salonisingh-5]

Hi @pushkarscripts,

I would like to work on this issue under GSSoC'26.

While reviewing the issue, I noticed that the application currently does not enforce security headers globally, which can leave it exposed to risks such as clickjacking through iframe embedding, MIME-type sniffing, and unnecessary referrer information leakage.

I would like to implement the required headers using the headers() function in next.config.ts and ensure they are applied consistently across all routes. I will also verify that the Permissions-Policy is configured properly so that unused browser APIs such as camera, microphone, and geolocation remain restricted without affecting existing functionality.

Kindly assign this issue to me. I would be happy to contribute and work on strengthening the application's security posture.

Thank you!

[salonisingh-5]

Hi @maintainers,

I have submitted a PR implementing the required HTTP security headers for Issue #273.

PR: #307

The changes have been tested locally and the headers were verified using Chrome DevTools.

Looking forward to your review. Thank you!

[SHRUTIDHEPE]

/assign