From 118658fc10a51acfb53bf94fc0e1a9def55184ba Mon Sep 17 00:00:00 2001
From: Jean du Plessis <jeandp@gmail.com>
Date: Mon, 13 Apr 2026 11:12:54 +0200
Subject: [PATCH] fix(headers): add missing security headers

---
 apps/web/next.config.mjs | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/apps/web/next.config.mjs b/apps/web/next.config.mjs
index bdd9a64a4..83ed1d050 100644
--- a/apps/web/next.config.mjs
+++ b/apps/web/next.config.mjs
@@ -27,6 +27,7 @@ const monorepoRoot = resolve(import.meta.dirname, '../..');
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   reactStrictMode: true,
+  poweredByHeader: false,
 
   // Both values MUST be set to the monorepo root and kept in sync.
   // `vercel build` sets NEXT_PRIVATE_OUTPUT_TRACE_ROOT to the project dir (apps/web)
@@ -140,6 +141,26 @@ const nextConfig = {
             key: 'Cross-Origin-Opener-Policy',
             value: 'same-origin',
           },
+          {
+            key: 'X-XSS-Protection',
+            value: '0',
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'strict-origin-when-cross-origin',
+          },
+          {
+            key: 'Permissions-Policy',
+            value: 'geolocation=(), camera=(), microphone=()',
+          },
+          {
+            key: 'Cross-Origin-Resource-Policy',
+            value: 'same-origin',
+          },
+          {
+            key: 'Cross-Origin-Embedder-Policy-Report-Only',
+            value: 'require-corp',
+          },
         ],
       },
     ];