Headers specified in next.config.js not being included in response
cammanderson opened this issue · 1 comments
Hi!
We have configured headers (such as "Content-Security-Policy") on to our paths, and noticed that they are not being included in Cloudfront responses.
In our use-case we have a public website component and an app, as well as a need for certain paths to have differing policies. The specific headers are those documented on NextJS site.
From what I can ascertain, my options are:
- Add via a meta tag
- Create a response header policy (one set of headers for all)
Is this a known limitation or am I missing an input option? I could see another issue raised regarding custom headers, and from what I could understand this is not yet a feature. Would it be difficult adjustment to add some basic support? If not, is there a general direction that can be offered of where to add it in?
Thanks, really appreciate the package.
Hey Cameron,
yes this unfortunately a known limitation with the module (See #9).
It happens because our router (that runs as Lambda@Edge) service only runs on origin-request CloudFront event.
The custom headers from the next.config.js need to be added to response, but this event is currently not covered by the router.
A possible solution for adding static headers would be to use the With existing CloudFront template (which allows to modify the CloudFront distribution) and apply a Response Headers Policy to it.