-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnext.config.mjs
More file actions
115 lines (109 loc) · 3.47 KB
/
next.config.mjs
File metadata and controls
115 lines (109 loc) · 3.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/** @type {import('next').NextConfig} */
const nextConfig = {
reactStrictMode: true,
poweredByHeader: false,
compress: true,
output: 'standalone',
async headers() {
const isProduction = process.env.NODE_ENV === 'production';
// Define security headers common to all environments
const securityHeaders = [
{
key: 'X-DNS-Prefetch-Control',
value: 'on',
},
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN', // Aligned with CSP frame-ancestors 'self'
},
{
key: 'X-Content-Type-Options',
value: 'nosniff',
},
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin', // Changed from origin-when-cross-origin to strict-origin-when-cross-origin
},
{
key: 'Permissions-Policy',
value:
'camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=(), attribution-reporting=(), run-ad-auction=(), join-ad-interest-group=(), shared-storage=()',
},
// CSP headers are configured outside of this Next.js headers() configuration (e.g., via middleware/proxy) to support nonces
];
// Only add HSTS in production to prevent local SSL errors
if (isProduction) {
securityHeaders.push({
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains; preload',
});
}
return [
{
source: '/:path*',
headers: [...securityHeaders],
},
{
source: '/js/:path*',
headers: [
{
key: 'Cache-Control',
value: isProduction ? 'public, max-age=3600' : 'no-store',
},
],
},
// Cache build metadata: no-store in development for fresh updates on reload,
// short TTL in production to balance freshness and performance
{
source: '/meta.json',
headers: [
{
key: 'Cache-Control',
value: isProduction ? 'public, max-age=300, must-revalidate' : 'no-store',
},
],
},
// Cache fonts for 30 days (font files are not versioned/hashed, shorter cache prevents stale fonts)
{
source: '/fonts/:path*',
headers: [
{
key: 'Cache-Control',
value: isProduction ? 'public, max-age=2592000' : 'no-store',
},
],
},
// Preserve Next.js's immutable caching for hashed build assets
// This rule must come before the general image caching rule to take precedence
{
source: '/_next/static/:path*',
headers: [
{
key: 'Cache-Control',
value: isProduction ? 'public, max-age=31536000, immutable' : 'no-store',
},
],
},
// Image asset caching rules for public/ directory assets
// Matches root-level and subdirectory image files like /profile.jpg, /file.svg
// The more specific /_next/static rule above ensures build assets keep immutable caching
{
source: '/:path*\\.(svg|jpg|jpeg|png|webp|avif|ico)',
headers: [
{
key: 'Cache-Control',
value: isProduction ? 'public, max-age=3600' : 'no-store',
},
],
},
];
},
images: {
formats: ['image/avif', 'image/webp'],
minimumCacheTTL: 31536000,
deviceSizes: [640, 750, 828, 1080, 1200, 1920],
imageSizes: [16, 32, 48, 64, 96, 128, 256, 384],
remotePatterns: [],
},
};
export default nextConfig;