Headers specified in next.config.js not being included in response

[cammanderson]

Hi!

We have configured headers (such as "Content-Security-Policy") on to our paths, and noticed that they are not being included in Cloudfront responses.

In our use-case we have a public website component and an app, as well as a need for certain paths to have differing policies. The specific headers are those documented on NextJS site.

From what I can ascertain, my options are:

• Add via a meta tag
• Create a response header policy (one set of headers for all)

Is this a known limitation or am I missing an input option? I could see another issue raised regarding custom headers, and from what I could understand this is not yet a feature. Would it be difficult adjustment to add some basic support? If not, is there a general direction that can be offered of where to add it in?

Thanks, really appreciate the package.

[ofhouse]

Hey Cameron,

yes this unfortunately a known limitation with the module (See #9).

It happens because our router (that runs as Lambda@Edge) service only runs on origin-request CloudFront event.
The custom headers from the next.config.js need to be added to response, but this event is currently not covered by the router.

A possible solution for adding static headers would be to use the With existing CloudFront template (which allows to modify the CloudFront distribution) and apply a Response Headers Policy to it.