ViTransfer/next.config.js at main · Talla/ViTransfer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
/** @type {import('next').NextConfig} */
const nextConfig = {
  // Increase body size limit for TUS chunked uploads
  // TUS uploads can send chunks larger than 10MB (default Next.js limit)
  // Set to 100MB to handle large video chunks safely
  experimental: {
    serverActions: {
      bodySizeLimit: '100mb'
    }
  },

  // SECURITY: Add comprehensive security headers
  async headers() {
    // Check if HTTPS is enabled (via environment variable)
    const isHttpsEnabled = process.env.HTTPS_ENABLED === 'true' || process.env.HTTPS_ENABLED === '1';
    const tusEndpoint = process.env.NEXT_PUBLIC_TUS_ENDPOINT
    const cspDirectives = [
      {
        key: 'Content-Security-Policy',
        value: [
          "default-src 'self'",
          "script-src 'self' 'unsafe-inline' https: https://storage.ko-fi.com",
          "style-src 'self' 'unsafe-inline' https:",
          "img-src * data: blob: https://storage.ko-fi.com",
          "font-src * data:",
          `connect-src 'self' blob: ${tusEndpoint || ''} https: https://ko-fi.com https://storage.ko-fi.com`,
          "media-src * blob:",
          "object-src 'none'",
          "base-uri 'self'",
          "form-action 'self'",
          "frame-ancestors 'none'",
          "frame-src 'self' https://ko-fi.com",
        ]
      },
      {
        key: 'X-DNS-Prefetch-Control',
        value: 'on'
      },
      {
        key: 'X-Frame-Options',
        value: 'DENY'
      },
      {
        key: 'X-Content-Type-Options',
        value: 'nosniff'
      },
      {
        key: 'Referrer-Policy',
        value: 'same-origin'
      },
      {
        key: 'Permissions-Policy',
        value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()'
      }
    ];

    // Only upgrade to HTTPS when HTTPS is actually enabled
    if (isHttpsEnabled) {
      cspDirectives[0].value.push('upgrade-insecure-requests');
    }

    const securityHeaders = cspDirectives.map(header => {
      if (header.key === 'Content-Security-Policy') {
        return { ...header, value: header.value.join('; ') };
      }
      return header;
    });

    // Only add HSTS when HTTPS is enabled
    if (isHttpsEnabled) {
      securityHeaders.push({
        key: 'Strict-Transport-Security',
        value: 'max-age=63072000; includeSubDomains; preload'
      });
    }

    return [
      {
        source: '/:path*',
        headers: securityHeaders,
      },
      {
        // Share links - still deny framing for security
        source: '/share/:path*',
        headers: [
          {
            key: 'X-Frame-Options',
            value: 'DENY'
          }
        ]
      }
    ]
  }
}

module.exports = nextConfig