Add security headers (CSP, HSTS, X-Frame, etc.) — Cursor

Missing security headers let attackers frame your site for clickjacking, downgrade HTTPS connections, or inject scripts. Browsers warn users and search engines flag the site.

rocket_launch

Fixing this in Cursor

Agentic AI code editor built on VSCode

In Next.js, add headers in `next.config.js` under the `headers` key. Vercel applies them on every response.

Using a different tool? Pick your stack:

Lovable Cursor Bolt v0 Replit Windsurf Claude Code Base44

The prompt for Cursor

Copy and paste this into your Cursor chat exactly as-is.

Apply these changes to my codebase. Edit the files directly and keep existing formatting:

Add security headers

1. Open `next.config.ts` and add a `headers()` async function.
2. Return Content-Security-Policy, Strict-Transport-Security, X-Frame-Options=DENY, X-Content-Type-Options=nosniff and Referrer-Policy=strict-origin-when-cross-origin for path "/(.*)".
3. Restart the dev server and verify with `curl -I https://yoursite/`.

Why this matters

Security headers are small HTTP response headers that tell the browser how to protect your users. They are free to enable and drastically reduce the attack surface for XSS, clickjacking, MIME sniffing, and downgrade attacks. Every major security scanner (Mozilla Observatory, securityheaders.com, Google Security Checkup) runs against them.

Most AI-built apps ship without any custom headers because the scaffold template does not include them and nobody asks. This is the easiest "medium-severity" finding to remediate in a Pantra Security Audit.

Strict-Transport-Security (HSTS) is especially important: once a browser sees it, it refuses to make any non-HTTPS request to your domain for the max-age duration. This blocks SSL-stripping attacks and protects users on hostile networks.

How to use this prompt in Cursor

1. Open your Cursor project.
2. Copy the prompt above with the copy button.
3. Paste into the Cursor chat and send.
4. Review the diff, accept the changes, redeploy.
5. Verify the fix using the checklist below.

Common mistakes to avoid

error_outlineSetting a Content-Security-Policy that blocks your own inline scripts, breaking the site.
error_outlineSetting `X-Frame-Options: DENY` on a page that needs to be embedded (e.g., checkout iframe).
error_outlineUsing HSTS with `max-age=31536000` on a subdomain that still has HTTP — locks out users.
error_outlineShipping `Referrer-Policy: no-referrer` everywhere — breaks analytics and affiliate tracking.
error_outlineAdding CSP in a `<meta>` tag instead of an HTTP header — some directives do not work in meta.

How to verify the fix worked

check_circleRun https://securityheaders.com/?q=yoursite.com — target grade A.
check_circleRun https://observatory.mozilla.org/ — target grade B or better.
check_circle`curl -I https://yoursite.com` — confirm the five headers are present.
check_circleOpen DevTools → Network → response headers — verify on real pages.

Frequently asked questions

Will adding CSP break my site?expand_more

Maybe — CSP blocks inline scripts and styles by default. Start with `Content-Security-Policy-Report-Only` for a week, watch the console, then switch to enforcing mode when violations are cleared.

What is the minimum HSTS value?expand_more

At least 6 months (`max-age=15552000`). 1 year (`max-age=31536000`) with `includeSubDomains; preload` is recommended for production.

Do security headers affect SEO?expand_more

Indirectly. Chrome shows security warnings for HTTPS issues, which hurts user trust and bounce rate. Google also uses HTTPS as a positive ranking signal.

Want all 34 prompts tailored to your Cursor site?

Pantra scans your site in 10 seconds, detects the stack, and generates the exact prompts that apply — only the ones you actually need.

Scan my site

Related Cursor prompts

Security