Next.js App Exposed: Missing Critical Security Headers Opens Site to XSS, Clickjacking

A critical security oversight has left a Next.js application unprotected against common web attacks. The site's configuration lacks fundamental HTTP security headers, creating direct vulnerabilities to cross-site scripting (XSS), clickjacking, and MIME sniffing attacks. This exposure stems from an empty `next.config.ts` file and a `layout.tsx` that exports metadata but no security directives, leaving the application's defenses wide open.

The missing headers constitute a basic but severe security failure. The application has no `Content-Security-Policy` to mitigate script injection, no `X-Frame-Options` set to `DENY` to prevent clickjacking, no `X-Content-Type-Options: nosniff` to block MIME type confusion attacks, and no `Referrer-Policy` to control referrer data leakage. Without these safeguards, user sessions and data are at heightened risk from well-known exploitation techniques that these headers are specifically designed to prevent.

This vulnerability highlights a common yet dangerous pitfall in modern web development, where framework defaults may not include these essential protections. The fix, tagged as a `fix(security)` PR bundle, requires implementing a `headers()` function in the Next.js configuration to deploy a restrictive CSP (allowing only the app itself, Vercel Analytics, and required fonts) and ensuring all four critical headers are present and verified. Until deployed, the application remains in a knowingly vulnerable state.