Headers

const nextConfig: NextConfig = {
  // ...
  async headers() {
    return [
      {
        source: "/(.*)",
        headers: [
          /*
            This prevents browsers from interpreting files as a different MIME type than what is declared. It helps mitigate attacks where a browser might try to guess the file type (content sniffing),
            potentially executing malicious scripts.
           */
          {
            key: "X-Content-Type-Options",
            value: "nosniff",
          },
          /*
            This header enforces HTTPS for the site. It tells the browser to only connect to the site over HTTPS for the next 31,536,000 seconds (1 year) and includes all subdomains. The preload directive means the site can be added to the HTTP Strict Transport Security (HSTS) preload list maintained by browsers.
            X-Frame-Options (DENY):
          */
          {
            key: "Strict-Transport-Security",
            value: "max-age=31536000; includeSubDomains; preload",
          },
          /*
            This controls the amount of information sent in the Referer header when making requests to other sites. strict-origin-when-cross-origin means the Referer will include the full URL for same-origin requests but will only include the origin (protocol, domain, and port) for cross-origin requests,
            keeping more information private.
           */
          {
            key: "Referrer-Policy",
            value: "strict-origin-when-cross-origin",
          },
          /*
            This prevents the page from being embedded in an iframe, which helps protect against clickjacking attacks. DENY means that the page cannot be displayed in any frame,
            regardless of where the request comes from.
           */
          {
            key: "X-Frame-Options",
            value: "DENY",
          },
        ],
      },
    ];
  },
};