From 9f0b9585444b15ef658d2c10d9914cca067f31cb Mon Sep 17 00:00:00 2001 From: Jeff Date: Wed, 26 Jan 2022 11:38:15 -0500 Subject: [PATCH] chore(docs): update security headers specification (#33673) 1. fix details on how next handles security headers * note: check your HSTS at https://hstspreload.org * if your using headers in the config you need to add them below like ![Screen Shot 2022-01-25 at 9 58 30 PM](https://user-images.githubusercontent.com/8095978/151096692-1544e239-6229-4654-bf64-b01bfc13a601.png) ## Bug - [ ] Related issues linked using `fixes #number` - [ ] Integration tests added - [ ] Errors have helpful link attached, see `contributing.md` ## Feature - [ ] Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. - [ ] Related issues linked using `fixes #number` - [ ] Integration tests added - [ ] Documentation added - [ ] Telemetry added. In case of a feature if it's used or not. - [ ] Errors have helpful link attached, see `contributing.md` ## Documentation / Examples - [ ] Make sure the linting passes by running `yarn lint` Co-authored-by: Steven <229881+styfle@users.noreply.github.com> --- docs/advanced-features/security-headers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advanced-features/security-headers.md b/docs/advanced-features/security-headers.md index 9a3165c0e9ead90..772d085a09b907f 100644 --- a/docs/advanced-features/security-headers.md +++ b/docs/advanced-features/security-headers.md @@ -43,7 +43,7 @@ This header controls DNS prefetching, allowing browsers to proactively perform d This header informs browsers it should only be accessed using HTTPS, instead of using HTTP. Using the configuration below, all present and future subdomains will use HTTPS for a `max-age` of 2 years. This blocks access to pages or subdomains that can only be served over HTTP. -If you're deploying to [Vercel](https://vercel.com/docs/edge-network/headers#strict-transport-security), this header is not necessary as it's automatically added to all deployments. +If you're deploying to [Vercel](https://vercel.com/docs/edge-network/headers#strict-transport-security), this header is not necessary as it's automatically added to all deployments unless you declare [`headers`](/docs/api-reference/next.config.js/headers.md) in your `next.config.js`. ```jsx {