35 lines
919 B
JavaScript
35 lines
919 B
JavaScript
const isDev = process.env.NODE_ENV !== "production";
|
|
|
|
const csp = [
|
|
"default-src 'self'",
|
|
"img-src 'self' data: blob:",
|
|
"style-src 'self' 'unsafe-inline'",
|
|
`script-src 'self' 'unsafe-inline'${isDev ? " 'unsafe-eval'" : ""}`,
|
|
`connect-src 'self'${isDev ? " ws: wss:" : ""}`,
|
|
"frame-ancestors 'none'",
|
|
"base-uri 'self'",
|
|
"form-action 'self'"
|
|
].join("; ");
|
|
|
|
const securityHeaders = [
|
|
{ key: "X-Content-Type-Options", value: "nosniff" },
|
|
{ key: "X-Frame-Options", value: "DENY" },
|
|
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
|
|
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
|
|
{ key: "Content-Security-Policy", value: csp }
|
|
];
|
|
|
|
/** @type {import('next').NextConfig} */
|
|
const nextConfig = {
|
|
async headers() {
|
|
return [
|
|
{
|
|
source: "/:path*",
|
|
headers: securityHeaders
|
|
}
|
|
];
|
|
}
|
|
};
|
|
|
|
export default nextConfig;
|