Medium Websites system

Security Header & CSP Config

A hardened HTTP header layer defined in next.config — a least-privilege Content-Security-Policy that allowlists exactly the embeds used (Cal.com, Turnstile, Supabase, analytics, Sentry) plus X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, and Permissions-Policy — so the site ships secure defaults without breaking real integrations.

Start a ProjectAll Systems
HMX Zone
Content-Security-Policy

Verified HMX-owned system

System facts

Security Header & CSP Config uses a web app route, data, and conversion layer for Full-Stack Websites. A hardened HTTP header layer defined in next.config — a least-privilege Content-Security-Policy that allowlists exactly the embeds used (Cal.com, T... The architecture connects author csp directives that, next, content-security-policy, and strong with an explicit control path.

Outcome

Strong, least-privilege security headers that block clickjacking and unexpected origins while keeping every real integration working.

Main risk

An over-tight CSP silently breaks Cal.com, Turnstile, or analytics; an over-loose one weakens protection.

Prevention

Allowlist origins explicitly from the known integration list and test the live console for violations before launch.

Fallback

If a needed origin was missed, add it as a scoped exception rather than relaxing the whole policy to default-src *.

System architecture

Security Header & CSP Config Architecture

6 nodes
Author CSP directives that
X-Content-Type-Options
Next
Content-Security-Policy
Fallback Path
Strong
  1. 01Author CSP directives that

    A hardened HTTP header layer defined in next.config — a least-privilege Content-Security-Policy that allowlists exactly the embeds used (Cal.com, T...

  2. 02X-Content-Type-Options

    Add X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, and a locked-down Permissions-Policy

  3. 03Next

    Next.js next.config headers supports the route, form, or data boundary for Security Header & CSP Config so public UX and backend state stay connected.

  4. 04Content-Security-Policy

    Keep an unsafe-eval allowance development-only so production stays strict

  5. 05Fallback Path

    If a needed origin was missed, add it as a scoped exception rather than relaxing the whole policy to default-src *.

  6. 06Strong

    Strong, least-privilege security headers that block clickjacking and unexpected origins while keeping every real integration working.

2-4 days

How it is built

A hardened HTTP header layer defined in next.config — a least-privilege Content-Security-Policy that allowlists exactly the embeds used (Cal.com, Turnstile, Supabase, analytics, Sentry) plus X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, and Permissions-Policy — so the site ships secure defaults without breaking real integrations.

  1. 01Author CSP directives that allowlist only the script/frame/connect origins the site actually uses
  2. 02Add X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, and a locked-down Permissions-Policy
  3. 03Keep an unsafe-eval allowance development-only so production stays strict
  4. 04Verify in production preview that all embeds load and the browser reports no CSP violations

Tools

Workflow surface

  • Next.js next.config headers
  • Content-Security-Policy
  • Vercel
  • Experience layer: Author CSP directives that allowlist only the script/frame/connect origins the site actually uses
  • Server layer: Add X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, and a locked-down Permissions-Policy
  • Database layer: Next.js next.config headers supports the route, form, or data boundary for Security Header & CSP Config so public UX and backend state stay connected.
  • Automation layer: Content-Security-Policy handles routine steps while allowlist origins explicitly from the known integration list and test the live console for violations before launch.
  • Measurement layer: Strong, least-privilege security headers that block clickjacking and unexpected origins while keeping every real integration working.

Data flow

  1. 01Author CSP directives that allowlist only the script/frame/connect origins the site actually uses
  2. 02Add X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, and a locked-down Permissions-Policy
  3. 03Keep an unsafe-eval allowance development-only so production stays strict
  4. 04Verify in production preview that all embeds load and the browser reports no CSP violations

Controls and fallbacks

  • An over-tight CSP silently breaks Cal.com, Turnstile, or analytics; an over-loose one weakens protection.
  • Allowlist origins explicitly from the known integration list and test the live console for violations before launch.
  • If a needed origin was missed, add it as a scoped exception rather than relaxing the whole policy to default-src *.

Research basis

System path inside the website build

Full-stack websites for service businesses and operators: route architecture, service pages, lead capture, metadata, proof boundaries, blog/database paths, analytics, and deployment checks.

Route map

Service architecture

Clear service routes

01active
Progress72%

Lead capture

Form and context flow

Lead capture that saves context

02active
Progress86%

Public metadata

SEO and schema layer

SEO and schema on public pages

03active
Progress64%

Launch QA

Analytics and deployment checks

Analytics events tied to CTAs

04active
Progress91%

Build this system around your real handoffs.

Start a ProjectView Proof
All systems operational
HMX Zone
(c) 2026 HMX Zone