forked from SamuelZ12/longcut
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmiddleware.ts
More file actions
58 lines (51 loc) · 2.16 KB
/
middleware.ts
File metadata and controls
58 lines (51 loc) · 2.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import { type NextRequest, NextResponse } from 'next/server'
import { updateSession } from '@/lib/supabase/middleware'
export async function middleware(request: NextRequest) {
// First, handle Supabase session update
const response = await updateSession(request)
// Add Content-Security-Policy and other security headers
const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
// Define CSP directives
const cspHeader = [
"default-src 'self'",
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.youtube.com https://s.ytimg.com https://*.googleapis.com",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: blob: https://i.ytimg.com https://img.youtube.com https://*.ytimg.com",
"font-src 'self' data:",
"connect-src 'self' https://api.supadata.ai https://*.supabase.co https://*.googleapis.com wss://*.supabase.co https://www.youtube.com",
"media-src 'self' blob: https://www.youtube.com",
"object-src 'none'",
"frame-src https://www.youtube.com https://youtube.com",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
"upgrade-insecure-requests"
].join('; ')
// Apply security headers
response.headers.set('Content-Security-Policy', cspHeader)
response.headers.set('X-Content-Type-Options', 'nosniff')
response.headers.set('X-Frame-Options', 'DENY')
response.headers.set('X-XSS-Protection', '1; mode=block')
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')
// Add HSTS header for production
if (process.env.NODE_ENV === 'production') {
response.headers.set(
'Strict-Transport-Security',
'max-age=31536000; includeSubDomains'
)
}
return response
}
export const config = {
matcher: [
/*
* Match all request paths except for the ones starting with:
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
* Feel free to modify this pattern to include more paths.
*/
'/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
],
}