fix: address review findings — i18n, a11y, proxy hardening, prop naming

Author: adbergen

pnpm-lock.yaml

@@ -26,7 +26,7 @@
     "@tanstack/react-query": "^5.90.12",
     "@uswds/uswds": "^3.13.0",
     "i18next": "^25.7.3",
-    "next": "16.0.8",
+    "next": "16.1.7",
     "react": "19.2.1",
     "react-dom": "19.2.1",
     "react-i18next": "^16.5.0",
@@ -43,7 +43,7 @@
     "@types/react-dom": "^19",
     "@types/uuid": "^10.0.0",
     "eslint": "^9",
-    "eslint-config-next": "16.0.8",
+    "eslint-config-next": "16.1.7",
     "eslint-plugin-security": "^3.0.1",
     "jsdom": "^27.3.0",
     "msw": "^2.12.4",

src/SEBT.EnrollmentChecker.Web/package.json

@@ -3,13 +3,17 @@ import { NextRequest, NextResponse } from 'next/server'
 
 const BACKEND_URL = env.BACKEND_URL
 const TIMEOUT_MS = 30_000
+const MAX_BODY_BYTES = 50_000
 
 export async function POST(request: NextRequest): Promise<NextResponse> {
   const controller = new AbortController()
   const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS)
 
   try {
     const body = await request.text()
+    if (body.length > MAX_BODY_BYTES) {
+      return NextResponse.json({ error: 'Request too large' }, { status: 413 })
+    }
     const response = await fetch(`${BACKEND_URL}/api/enrollment/check`, {
       method: 'POST',
       headers: {