next-safe allows you to configure every header that it generates. Most config options may be set to false to disable the feature. Here are the default values for all config options.
nextSafe({
contentTypeOptions: "nosniff",
contentSecurityPolicy: {
"base-uri": "'none'",
"child-src": "'none'",
"connect-src": "'self'",
"default-src": "'self'",
"font-src": "'self'",
"form-action": "'self'",
"frame-ancestors": "'none'",
"frame-src": "'none'",
"img-src": "'self'",
"manifest-src": "'self'",
"media-src": "'self'",
"object-src": "'none'",
"prefetch-src": "'self'",
"script-src": "'self'",
"style-src": "'self'",
"worker-src": "'self'",
mergeDefaultDirectives: false,
reportOnly: false,
},
frameOptions: "DENY",
permissionsPolicy: {},
permissionsPolicyDirectiveSupport: ["proposed", "standard"],
isDev: false,
referrerPolicy: "no-referrer",
xssProtection: "1; mode=block",
})For more information on each of these options, check out their documentation: