Nextjs Guideline: Security — Use CSP headers. Description: Content Security Policy for XSS protection. Do: Configure CSP in next.config.js. Don't: No security headers. Good Example: headers() with CSP. Bad Example: No CSP configuration. Severity: High. Docs: https://nextjs.org/docs/app/building-your-application/configuring/content-security-policy.