NIN Connect Docs
Platform (Self-Host)Security

Headers & CORS

Security headers and cross-origin policies applied to all NIN Connect responses.

Security Headers

Every response from the platform includes the following security headers, configured in next.config.ts:

HeaderValuePurpose
Content-Security-Policydefault-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'Restricts which resources the browser can load
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preloadForces HTTPS for 2 years, including subdomains
X-Frame-OptionsDENYPrevents the page from being embedded in iframes
X-Content-Type-OptionsnosniffPrevents MIME-type sniffing
Referrer-Policystrict-origin-when-cross-originLimits referrer data sent to other origins
Permissions-Policycamera=(), microphone=(), geolocation=()Disables unused browser APIs

Content Security Policy

The CSP is tuned for a Next.js application:

  • default-src 'self' — only load resources from the same origin
  • script-src 'self' 'unsafe-inline' 'unsafe-eval' — needed for Next.js hydration and dynamic code
  • frame-ancestors 'none' — equivalent to X-Frame-Options: DENY but also works in CSP-aware browsers

HSTS

The Strict-Transport-Security header tells browsers to always use HTTPS. The preload directive allows the domain to be submitted to the HSTS Preload List, which hardcodes HTTPS enforcement in browsers.

CORS Policies

Cross-origin policies are set per route group in src/middleware.ts. The middleware dynamically selects the correct policy based on the request path and sets Access-Control-Allow-* headers.

Route-Specific Policies

Route GroupAllowed OriginCredentialsMethods
/api/v1/** (any)NoGET, POST, PUT, DELETE, OPTIONS
/api/dashboard/*Same origin onlyYesGET, POST, PUT, DELETE, OPTIONS
/api/connect/*Same origin onlyYesGET, POST, OPTIONS
/api/auth/*Same origin onlyNoGET, POST, OPTIONS

Why /api/v1/* Allows Any Origin

The SDK routes (/api/v1/*) are designed to be called from any developer's application, whether that's a web app, mobile backend, or server-side agent. Restricting origins would break legitimate SDK usage. These routes are protected by API key authentication instead.

Why Dashboard Routes Are Same-Origin

Dashboard routes handle admin operations and use Firebase ID tokens from cookies. Allowing cross-origin requests with credentials would open the door to CSRF attacks. Same-origin enforcement ensures only the dashboard frontend can call these routes.

Preflight Handling

The middleware responds to OPTIONS requests with the appropriate CORS headers and a 204 No Content status, satisfying the browser's preflight check without hitting the route handler.

Body Size Limits

The middleware rejects requests larger than 1 MB. This prevents memory exhaustion from oversized payloads.

For server actions, Next.js enforces its own body size limit configured in next.config.ts:

experimental: {
  serverActions: {
    bodySizeLimit: "1mb",
  },
},

On this page