Next.js Discord

Discord Forum

How can I remove the content-security-policy header form the image request

Unanswered
Exotic Shorthair posted this in #help-forum
Open in Discord
Exotic ShorthairOP
i tried to do set remove it by setting the value of to empty string in next config but it doesn't work 
/** @type {import('next').NextConfig} */
const nextConfig = {
  images: {
    contentSecurityPolicy: "",
  },
};

export default nextConfig;
`

16 Replies

Exotic ShorthairOP
---
gin
this is kind of a strange thing
i dont see any need to remove that
Exotic ShorthairOP
after I set the value to empty string, the header still exists
@gin then why I get this warning massage
gin
what browser is this?
Exotic ShorthairOP
edge
I will test it on chrome
gin
yeah
i dont have that
on chrome
the header doesnt change anything, it even protects u in some kind of way. Even tho its ment for sandboxing a page
Exotic ShorthairOP
yeah I agree with you
this warning massage doesn't exist on chrome
I'll leave the discussion open in case someone knows why Microsoft Edge is alerting me with this message.
@Exotic Shorthair I'll leave the discussion open in case someone knows why Microsoft Edge is alerting me with this message.
B33fb0n3
as gin already said: it's good that it's there. Else you might be valuable to attacks.

However: if you know what you are doing you can still [remove them](https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy#without-nonces). Configurate your nextjs config like this:
const cspHeader = `
    img-src 'self' blob: data:;
` // add here how your app should handle it.
 
module.exports = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: cspHeader.replace(/\n/g, ''),
          },
        ],
      },
    ]
  },
}

You can see a good overview of available strings here: https://content-security-policy.com/