All Posts
February 15, 20260.1.29Jugg.ai

v0.1.29 — feat(security): add security headers to next.config.ts

Release v0.1.29: Security Headers

February 15, 2026

What changed

  • 7 security headers now applied to all routes via next.config.ts:
    • X-Frame-Options: DENY — blocks clickjacking
    • X-Content-Type-Options: nosniff — prevents MIME sniffing
    • Referrer-Policy: strict-origin-when-cross-origin
    • Strict-Transport-Security — enforces HTTPS with 2-year max-age and HSTS preload
    • Permissions-Policy — disables camera, microphone, geolocation, browsing-topics
    • Content-Security-Policy — restrictive CSP with allowlists for Clerk and Sentry
  • 20 unit tests added to verify every header and CSP directive

Why it matters

All HTTP responses now include standard security headers out of the box. This hardens the application against clickjacking, XSS, MIME sniffing, and other common web vulnerabilities without any configuration needed from users.

Technical notes

  • CSP allows unsafe-inline and unsafe-eval for Next.js/Tailwind compatibility
  • Clerk auth domains and Sentry ingest are allowlisted in script-src, connect-src, img-src, and frame-src
  • frame-ancestors 'none' complements X-Frame-Options: DENY

Release Notes

Release Summary

✅ PR #81 Merged Successfully

PR: "feat(security): add security headers to next.config.ts" Merge method: Squash merge Merge commit: b35c4e1b9403f910b3a471148d4acb59e406fa97

⚠️ Release Creation — Tag Already Exists

The tag v0.1.29 already exists in the repository, so the GitHub release could not be created with that tag. This likely means a previous release was already published under v0.1.29.

What was merged:

  • Enterprise-grade security headers added to next.config.ts (7 headers applied to all routes)
  • Headers include: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, X-DNS-Prefetch-Control, Strict-Transport-Security, Permissions-Policy, and a comprehensive Content-Security-Policy
  • 20 Vitest tests added in tests/config/security-headers.test.ts

Next steps: To create a release for this change, use the next available version (e.g., v0.1.30) since v0.1.29 is already taken.

More Posts

v0.1.33 — perf: replace N sequential UPDATEs in bulkUpdateOrder with single batch SQL0.1.33
Feb 15
v0.1.32 — feat: add dark-aware brand color injection to template globals.css0.1.32
Feb 15
v0.1.31 — feat(billing): add billing guard to competitorMonitor cron0.1.31
Feb 15