Headers & CORS
Security headers and cross-origin policies applied to all NIN Connect responses.
Security Headers
Every response from the platform includes the following security headers, configured in next.config.ts:
| Header | Value | Purpose |
|---|---|---|
Content-Security-Policy | default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none' | Restricts which resources the browser can load |
Strict-Transport-Security | max-age=63072000; includeSubDomains; preload | Forces HTTPS for 2 years, including subdomains |
X-Frame-Options | DENY | Prevents the page from being embedded in iframes |
X-Content-Type-Options | nosniff | Prevents MIME-type sniffing |
Referrer-Policy | strict-origin-when-cross-origin | Limits referrer data sent to other origins |
Permissions-Policy | camera=(), microphone=(), geolocation=() | Disables unused browser APIs |
Content Security Policy
The CSP is tuned for a Next.js application:
default-src 'self'— only load resources from the same originscript-src 'self' 'unsafe-inline' 'unsafe-eval'— needed for Next.js hydration and dynamic codeframe-ancestors 'none'— equivalent toX-Frame-Options: DENYbut also works in CSP-aware browsers
HSTS
The Strict-Transport-Security header tells browsers to always use HTTPS. The preload directive allows the domain to be submitted to the HSTS Preload List, which hardcodes HTTPS enforcement in browsers.
CORS Policies
Cross-origin policies are set per route group in src/middleware.ts. The middleware dynamically selects the correct policy based on the request path and sets Access-Control-Allow-* headers.
Route-Specific Policies
| Route Group | Allowed Origin | Credentials | Methods |
|---|---|---|---|
/api/v1/* | * (any) | No | GET, POST, PUT, DELETE, OPTIONS |
/api/dashboard/* | Same origin only | Yes | GET, POST, PUT, DELETE, OPTIONS |
/api/connect/* | Same origin only | Yes | GET, POST, OPTIONS |
/api/auth/* | Same origin only | No | GET, POST, OPTIONS |
Why /api/v1/* Allows Any Origin
The SDK routes (/api/v1/*) are designed to be called from any developer's application, whether that's a web app, mobile backend, or server-side agent. Restricting origins would break legitimate SDK usage. These routes are protected by API key authentication instead.
Why Dashboard Routes Are Same-Origin
Dashboard routes handle admin operations and use Firebase ID tokens from cookies. Allowing cross-origin requests with credentials would open the door to CSRF attacks. Same-origin enforcement ensures only the dashboard frontend can call these routes.
Preflight Handling
The middleware responds to OPTIONS requests with the appropriate CORS headers and a 204 No Content status, satisfying the browser's preflight check without hitting the route handler.
Body Size Limits
The middleware rejects requests larger than 1 MB. This prevents memory exhaustion from oversized payloads.
For server actions, Next.js enforces its own body size limit configured in next.config.ts:
experimental: {
serverActions: {
bodySizeLimit: "1mb",
},
},