58 lines
2.0 KiB
TypeScript
58 lines
2.0 KiB
TypeScript
import type { NextConfig } from "next";
|
|
|
|
/**
|
|
* Security headers applied to every response.
|
|
*
|
|
* Notes on each:
|
|
* - CSP: tight default; allows Google Fonts (next/font) and the same-origin
|
|
* /api routes. No third-party scripts. `frame-ancestors 'none'` prevents
|
|
* this app being embedded in another site's iframe.
|
|
* - HSTS: only meaningful behind HTTPS (Render terminates TLS, so this is
|
|
* correct in production).
|
|
* - Permissions-Policy: drop everything we don't use.
|
|
* - Referrer-Policy: same-origin — never leak the cid+cs query string to
|
|
* other origins via the Referer header.
|
|
* - X-Content-Type-Options: prevents MIME sniffing.
|
|
*/
|
|
// Next.js React dev runtime uses dynamic-script execution for fast-refresh,
|
|
// error overlays, and source-map reconstruction. Permit that ONLY in dev so
|
|
// HMR works; production CSP stays strict (no dynamic execution allowed).
|
|
const isDev = process.env.NODE_ENV !== "production";
|
|
const devOnlyDynamicScript = isDev ? " 'unsafe-eval'" : "";
|
|
|
|
const securityHeaders = [
|
|
{
|
|
key: "Content-Security-Policy",
|
|
value: [
|
|
"default-src 'self'",
|
|
`script-src 'self' 'unsafe-inline'${devOnlyDynamicScript}`,
|
|
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
|
|
"font-src 'self' https://fonts.gstatic.com data:",
|
|
"img-src 'self' data:",
|
|
"connect-src 'self'",
|
|
"frame-ancestors 'none'",
|
|
"form-action 'self'",
|
|
"base-uri 'self'",
|
|
"object-src 'none'",
|
|
].join("; "),
|
|
},
|
|
{ key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" },
|
|
{ key: "X-Content-Type-Options", value: "nosniff" },
|
|
{ key: "Referrer-Policy", value: "same-origin" },
|
|
{
|
|
key: "Permissions-Policy",
|
|
value: "camera=(), microphone=(), geolocation=(), interest-cohort=()",
|
|
},
|
|
{ key: "X-Frame-Options", value: "DENY" },
|
|
];
|
|
|
|
const nextConfig: NextConfig = {
|
|
poweredByHeader: false,
|
|
reactStrictMode: true,
|
|
async headers() {
|
|
return [{ source: "/:path*", headers: securityHeaders }];
|
|
},
|
|
};
|
|
|
|
export default nextConfig;
|