scripte/ai-coding-starter-kit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ai-coding-starter-kit/docs/production/security-headers.md
T
“alexvisualmakers” 600552c858 feat: Migrate from agent markdown files to Skills, Rules, and Sub-Agents 
Replace the manual "read .claude/agents/*.md" workflow with native
Claude Code features for a more efficient, scalable development experience:

- **Skills** (.claude/skills/): 7 auto-discovered slash commands
  (/requirements, /architecture, /frontend, /backend, /qa, /deploy, /help)
  with forked sub-agents for heavy tasks and inline execution for interactive ones
- **Rules** (.claude/rules/): 4 modular rule files (general, frontend, backend,
  security) auto-applied based on file context
- **Sub-Agents** (.claude/agents/): Lightweight configs for frontend-dev,
  backend-dev, and qa-engineer with model, tool, and turn limit settings
- **Context Engineering**: Layered context loading, context isolation via
  forked skills, built-in context recovery after compaction, and
  "always read, never guess" rules to prevent hallucinated code references
- **CLAUDE.md**: Auto-loaded project context replacing PROJECT_CONTEXT.md
- **Feature tracking**: features/INDEX.md as persistent state across sessions
- **Production guides**: docs/production/ for error tracking, security,
  performance, database optimization, and rate limiting
- **Init Mode**: /requirements detects empty PRD and bootstraps full project
  setup (PRD + all feature specs) from a single project description

Removed: 6 monolithic agent files, PROJECT_CONTEXT.md, HOW_TO_USE_AGENTS.md,
TEMPLATE_CHANGELOG.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 10:15:27 +01:00

1.7 KiB
Raw Permalink Blame History

Security Headers Configuration

Protect against XSS, Clickjacking, MIME sniffing, and other common web attacks.

Setup

Add security headers to next.config.ts:

import type { NextConfig } from 'next'

const nextConfig: NextConfig = {
  async headers() {
    return [
      {
        source: '/:path*',
        headers: [
          {
            key: 'X-Frame-Options',
            value: 'DENY',
          },
          {
            key: 'X-Content-Type-Options',
            value: 'nosniff',
          },
          {
            key: 'Referrer-Policy',
            value: 'origin-when-cross-origin',
          },
          {
            key: 'Strict-Transport-Security',
            value: 'max-age=31536000; includeSubDomains',
          },
        ],
      },
    ]
  },
}

export default nextConfig

What Each Header Does

Header Protection
X-Frame-Options: DENY Prevents your site from being embedded in iframes (clickjacking)
X-Content-Type-Options: nosniff Prevents browsers from guessing content types (MIME sniffing)
Referrer-Policy Controls how much URL info is sent to other sites
Strict-Transport-Security Forces HTTPS connections

Verify After Deployment

  1. Open Chrome DevTools
  2. Go to Network tab
  3. Click on any request to your site
  4. Check Response Headers section
  5. Verify all 4 headers are present

Advanced (Optional)

Content-Security-Policy (CSP) - The most powerful header, but can break your app if misconfigured. Only add after thorough testing:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

Start with report-only mode first: Content-Security-Policy-Report-Only

Reference in New Issue View Git Blame Copy Permalink