74 lines
2.7 KiB
TypeScript
74 lines
2.7 KiB
TypeScript
import type { NextConfig } from 'next';
|
|
import path from 'path';
|
|
import withSerwistInit from '@serwist/next';
|
|
|
|
// Content-Security-Policy: scoped to what the app actually loads.
|
|
// - 'unsafe-eval' / 'unsafe-inline' on script-src: Next.js dev runtime and
|
|
// the inline bootstrap script require these. They can be tightened later
|
|
// with a nonce-based approach if needed.
|
|
// - js.stripe.com: Stripe.js (loaded on checkout)
|
|
// - PostHog assets/connect: web/src/components/PostHogProvider.tsx
|
|
// - Google Fonts: layout.tsx <link> tags
|
|
// - Supabase wss: AuthContext realtime + push subscriptions
|
|
const CSP = [
|
|
"default-src 'self'",
|
|
"script-src 'self' 'unsafe-eval' 'unsafe-inline' https://js.stripe.com https://us-assets.i.posthog.com",
|
|
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
|
|
"font-src 'self' https://fonts.gstatic.com",
|
|
"img-src 'self' data: blob: https://*.supabase.co https://cdn.nba.com https://a.espncdn.com",
|
|
"connect-src 'self' https://*.supabase.co wss://*.supabase.co https://api.stripe.com https://us.i.posthog.com https://us-assets.i.posthog.com",
|
|
"frame-src https://js.stripe.com https://hooks.stripe.com",
|
|
"worker-src 'self' blob:",
|
|
"manifest-src 'self'",
|
|
"object-src 'none'",
|
|
"base-uri 'self'",
|
|
"form-action 'self'",
|
|
].join('; ');
|
|
|
|
const nextConfig: NextConfig = {
|
|
output: 'standalone',
|
|
turbopack: {
|
|
root: path.join(__dirname),
|
|
},
|
|
images: {
|
|
remotePatterns: [],
|
|
},
|
|
poweredByHeader: false,
|
|
reactStrictMode: true,
|
|
async headers() {
|
|
return [
|
|
{
|
|
source: '/(.*)',
|
|
headers: [
|
|
{ key: 'Content-Security-Policy', value: CSP },
|
|
{ key: 'X-Frame-Options', value: 'DENY' },
|
|
{ key: 'X-Content-Type-Options', value: 'nosniff' },
|
|
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
|
|
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
|
|
{ key: 'X-DNS-Prefetch-Control', value: 'on' },
|
|
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
|
|
],
|
|
},
|
|
// The service worker must be served with no-cache or browsers will pin
|
|
// an outdated SW for days. Override the global Cache-Control here.
|
|
{
|
|
source: '/sw.js',
|
|
headers: [
|
|
{ key: 'Cache-Control', value: 'no-cache, no-store, must-revalidate' },
|
|
{ key: 'Service-Worker-Allowed', value: '/' },
|
|
],
|
|
},
|
|
];
|
|
},
|
|
};
|
|
|
|
const withSerwist = withSerwistInit({
|
|
swSrc: 'src/sw.ts',
|
|
swDest: 'public/sw.js',
|
|
// Serwist only ships in production builds — dev requests bypass the SW so
|
|
// hot-reload and source maps work normally.
|
|
disable: process.env.NODE_ENV === 'development',
|
|
});
|
|
|
|
export default withSerwist(nextConfig);
|