Insecure Headers

Insecure Headers in V0-Built Apps

V0 generates beautiful React components, but it does not generate security infrastructure like HTTP headers. Applications assembled from V0 components inherit whatever security configuration the developer sets up, which is usually nothing.

Scan Your v0 App

How It Happens

V0 generates individual UI components, not application configuration. When developers build Next.js applications by assembling V0-generated components, they focus on wiring up data and styling. Security headers (which live in next.config.js or middleware.ts) are infrastructure concerns that V0 never addresses. Developers who build primarily with V0 may not have deep Next.js experience. They know how to compose components but may not know that security headers need to be configured separately. The gap between "the UI works" and "the application is secure" is wide when V0 handles the former but not the latter. Next.js does not set security headers by default either. Without explicit configuration in next.config.js or middleware.ts, the application serves responses with no Content-Security-Policy, no X-Frame-Options, and no Strict-Transport-Security. Deploying to Vercel adds some basic protections but not a comprehensive security header set.

Impact

Without Content-Security-Policy, any XSS vulnerability in a V0 component can execute arbitrary scripts without restriction. CSP is the most important defense-in-depth layer against XSS, and it is absent from virtually every V0-assembled application. Missing X-Frame-Options allows the application to be embedded in iframes on malicious sites. For apps with sensitive actions (form submissions, payment flows, account management), this enables clickjacking attacks. Without Permissions-Policy, the browser grants the page access to powerful APIs like camera, microphone, and geolocation by default. If a V0 component is compromised through XSS, the attacker can access these APIs without the user realizing it.

How to Detect

Open your V0-built Next.js app in the browser. In DevTools, go to the Network tab and click on the main document request. Review the response headers for Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy, and Permissions-Policy. Alternatively, run curl -I https://your-app.vercel.app from the terminal. Check which security headers are present and which are missing. Vibe App Scanner checks all response headers for every scanned page and provides specific configuration instructions for Next.js and Vercel deployments.

How to Fix

Add security headers in next.config.js using the headers() async function. This is the most straightforward approach for Next.js apps and works on all deployment platforms including Vercel. For more dynamic CSP (like nonce-based policies), use Next.js middleware.ts to generate headers per-request. This allows computing a unique nonce for each response that inline scripts must include. If deploying to Vercel, you can also set headers in vercel.json. However, next.config.js is preferred because it stays with the code and works on all platforms. Start with restrictive headers and loosen only when specific features require it. X-Content-Type-Options: nosniff and X-Frame-Options: DENY are safe for virtually all applications. CSP requires testing with your specific V0 components to ensure styles and scripts are not blocked.

Code Examples

Adding security headers to a V0-built Next.js app

Vulnerable

// next.config.ts - default V0 project config
const nextConfig = {
  // V0 components work fine, but no security headers
}
export default nextConfig

Secure

// next.config.ts with security headers
const nextConfig = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          { key: 'X-Content-Type-Options', value: 'nosniff' },
          { key: 'X-Frame-Options', value: 'DENY' },
          { key: 'Strict-Transport-Security',
            value: 'max-age=63072000; includeSubDomains; preload' },
          { key: 'Referrer-Policy',
            value: 'strict-origin-when-cross-origin' },
          { key: 'Content-Security-Policy',
            value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" },
        ],
      },
    ]
  },
}
export default nextConfig

Frequently Asked Questions

Does Vercel add security headers when I deploy?

Vercel adds some basic protections like HTTPS, but does not add Content-Security-Policy, X-Frame-Options, or other application-level security headers. You must configure these in your Next.js application or vercel.json.

Will CSP break V0-generated components?

It depends on the component. V0 components that use inline styles (common with Tailwind) work fine with style-src 'unsafe-inline'. Components that load external fonts, images, or scripts need those sources added to the CSP. Test incrementally.

Do I need security headers if my V0 app is just a landing page?

Yes. Even static landing pages can be clickjacked or have their content manipulated if embedded in an iframe. X-Frame-Options: DENY and X-Content-Type-Options: nosniff should be set on every web page.

Related Security Resources

V0 XSS V0 Exposed API Keys Vercel Insecure Headers

Is Your App Vulnerable?

VAS automatically scans for insecure headers and other security issues in v0 apps. Get actionable results with step-by-step fixes.

Scans from $5, results in minutes.

Get Starter Scan View Pricing