dev-Portfolio/middleware.ts at develop · andyvn1/dev-Portfolio · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  const response = NextResponse.next()

  // Prevent browsers from guessing the file type — serve only what the server declares
  response.headers.set('X-Content-Type-Options', 'nosniff')

  // Send full URL on same-origin requests, only the domain on cross-origin
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')

  // Belt-and-suspenders frame protection for older browsers (CSP handles modern ones)
  response.headers.set('X-Frame-Options', 'DENY')

  // Content Security Policy — controls what the browser is allowed to load
  const csp = [
    "default-src 'self'",
    // Next.js requires unsafe-inline for hydration scripts and unsafe-eval in dev
    "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
    // Tailwind applies styles inline — unsafe-inline is required
    "style-src 'self' 'unsafe-inline'",
    // Next.js Image optimization produces data: URIs; blob: for future use
    "img-src 'self' data: blob:",
    // Fonts served from the same origin only
    "font-src 'self'",
    // API calls and WebSocket connections limited to same origin
    "connect-src 'self'",
    // No iframes allowed — site cannot be embedded anywhere
    "frame-src 'none'",
    "frame-ancestors 'none'",
    // No Flash, Java, or other legacy plugins
    "object-src 'none'",
    // Prevents base tag injection attacks
    "base-uri 'self'",
  ].join('; ')

  response.headers.set('Content-Security-Policy', csp)

  return response
}

export const config = {
  matcher: [
    // Apply to all routes except Next.js internals and static files
    '/((?!_next/static|_next/image|favicon.ico).*)',
  ],
}