import type { NextConfig } from "next";

/**
 * Security headers applied to every response.
 *
 * Notes on each:
 *   - CSP: tight default; allows Google Fonts (next/font) and the same-origin
 *     /api routes. No third-party scripts. `frame-ancestors 'none'` prevents
 *     this app being embedded in another site's iframe.
 *   - HSTS: only meaningful behind HTTPS (Render terminates TLS, so this is
 *     correct in production).
 *   - Permissions-Policy: drop everything we don't use.
 *   - Referrer-Policy: same-origin — never leak the cid+cs query string to
 *     other origins via the Referer header.
 *   - X-Content-Type-Options: prevents MIME sniffing.
 */
const securityHeaders = [
  {
    key: "Content-Security-Policy",
    value: [
      "default-src 'self'",
      "script-src 'self' 'unsafe-inline'",
      "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
      "font-src 'self' https://fonts.gstatic.com data:",
      "img-src 'self' data:",
      "connect-src 'self'",
      "frame-ancestors 'none'",
      "form-action 'self'",
      "base-uri 'self'",
      "object-src 'none'",
    ].join("; "),
  },
  { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" },
  { key: "X-Content-Type-Options", value: "nosniff" },
  { key: "Referrer-Policy", value: "same-origin" },
  {
    key: "Permissions-Policy",
    value: "camera=(), microphone=(), geolocation=(), interest-cohort=()",
  },
  { key: "X-Frame-Options", value: "DENY" },
];

const nextConfig: NextConfig = {
  poweredByHeader: false,
  reactStrictMode: true,
  async headers() {
    return [{ source: "/:path*", headers: securityHeaders }];
  },
};

export default nextConfig;