import type { NextConfig } from "next";

const nextConfig: NextConfig = {
  output: "standalone",

  images: {
    remotePatterns: [
      {
        protocol: "https",
        hostname: "crafatar.com",
        pathname: "/**",
      },
      {
        protocol: "https",
        hostname: "mc-heads.net",
        pathname: "/**",
      },
      {
        protocol: "https",
        hostname: "visage.surgeplay.com",
        pathname: "/**",
      },
      {
        protocol: "https",
        hostname: "minotar.net",
        pathname: "/**",
      },
    ],
  },

  // Security headers (CSP + non-CSP) are applied by proxy.ts so they can
  // include a per-request nonce. Only static headers that don't conflict are
  // set here for paths the middleware doesn't cover (e.g. _next/static).
  async headers() {
    return [
      {
        source: "/(.*)",
        headers: [
          // CSP is intentionally omitted here — proxy.ts owns it.
          { key: "X-Frame-Options", value: "SAMEORIGIN" },
          { key: "X-Content-Type-Options", value: "nosniff" },
          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
          {
            key: "Permissions-Policy",
            value: "camera=(), microphone=(), geolocation=(), browsing-topics=()",
          },
          { key: "X-DNS-Prefetch-Control", value: "on" },
          {
            key: "Strict-Transport-Security",
            value: "max-age=63072000; includeSubDomains; preload",
          },
        ],
      },
    ];
  },

  // Turbopack config (Next.js 16 default bundler)
  turbopack: {},

  // Disable powered-by header
  poweredByHeader: false,

  // Enable strict mode
  reactStrictMode: true,

  // Compress responses
  compress: true,

  // Server actions body size limit
  experimental: {
    serverActions: {
      bodySizeLimit: "10mb",
    },
  },

  // Remove 'import crypto' at top — not needed in static headers

};

export default nextConfig;