81 lines
1.9 KiB
TypeScript
81 lines
1.9 KiB
TypeScript
import type { NextConfig } from "next";
|
|
|
|
const nextConfig: NextConfig = {
|
|
output: "standalone",
|
|
|
|
images: {
|
|
remotePatterns: [
|
|
{
|
|
protocol: "https",
|
|
hostname: "crafatar.com",
|
|
pathname: "/**",
|
|
},
|
|
{
|
|
protocol: "https",
|
|
hostname: "mc-heads.net",
|
|
pathname: "/**",
|
|
},
|
|
{
|
|
protocol: "https",
|
|
hostname: "visage.surgeplay.com",
|
|
pathname: "/**",
|
|
},
|
|
{
|
|
protocol: "https",
|
|
hostname: "minotar.net",
|
|
pathname: "/**",
|
|
},
|
|
],
|
|
},
|
|
|
|
// Security headers (CSP + non-CSP) are applied by proxy.ts so they can
|
|
// include a per-request nonce. Only static headers that don't conflict are
|
|
// set here for paths the middleware doesn't cover (e.g. _next/static).
|
|
async headers() {
|
|
return [
|
|
{
|
|
source: "/(.*)",
|
|
headers: [
|
|
// CSP is intentionally omitted here — proxy.ts owns it.
|
|
{ key: "X-Frame-Options", value: "SAMEORIGIN" },
|
|
{ key: "X-Content-Type-Options", value: "nosniff" },
|
|
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
|
|
{
|
|
key: "Permissions-Policy",
|
|
value: "camera=(), microphone=(), geolocation=(), browsing-topics=()",
|
|
},
|
|
{ key: "X-DNS-Prefetch-Control", value: "on" },
|
|
{
|
|
key: "Strict-Transport-Security",
|
|
value: "max-age=63072000; includeSubDomains; preload",
|
|
},
|
|
],
|
|
},
|
|
];
|
|
},
|
|
|
|
// Turbopack config (Next.js 16 default bundler)
|
|
turbopack: {},
|
|
|
|
// Disable powered-by header
|
|
poweredByHeader: false,
|
|
|
|
// Enable strict mode
|
|
reactStrictMode: true,
|
|
|
|
// Compress responses
|
|
compress: true,
|
|
|
|
// Server actions body size limit
|
|
experimental: {
|
|
serverActions: {
|
|
bodySizeLimit: "10mb",
|
|
},
|
|
},
|
|
|
|
// Remove 'import crypto' at top — not needed in static headers
|
|
|
|
};
|
|
|
|
export default nextConfig;
|