vsap/next.config.security.js at main · sanphm/vsap · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
/**
 * Next.js Security Configuration Template
 * Based on TIP-015: Security Hardening
 *
 * Copy this template into your app's next.config.js and customize the headers configuration
 *
 * Usage:
 * // next.config.js
 * import { securityHeaders } from '@erp/security';
 * import securityConfig from '../../next.config.security.js';
 *
 * export default securityConfig;
 */

import { securityHeaders, strictSecurityHeaders, devSecurityHeaders } from '@erp/security';

const isProduction = process.env.NODE_ENV === 'production';

/**
 * CSP directives configuration
 * Customize these based on your app's needs
 */
const cspDirectives = isProduction
  ? {
      'default-src': ["'self'"],
      'script-src': ["'self'", "'strict-dynamic'"],
      'style-src': ["'self'"],
      'img-src': ["'self'", 'data:', 'https:'],
      'font-src': ["'self'"],
      'connect-src': ["'self'", 'https://api.vierp.com'],
      'frame-ancestors': ["'self'"],
      'upgrade-insecure-requests': [],
    }
  : {
      'default-src': ["'self'"],
      'script-src': ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
      'style-src': ["'self'", "'unsafe-inline'"],
      'img-src': ["'self'", 'data:', 'https:'],
      'font-src': ["'self'", 'data:', 'https:'],
      'connect-src': ["'self'", 'https:', 'ws:', 'wss:'],
      'frame-ancestors': ["'self'"],
    };

/**
 * Generate Next.js headers configuration
 */
function getSecurityHeaders() {
  const config = {
    cspDirectives,
    frameAncestors: ["'self'"],
    hsts: isProduction,
    hstsMaxAge: 31536000, // 1 year
    hstsIncludeSubdomains: true,
  };

  return isProduction
    ? strictSecurityHeaders(config)
    : devSecurityHeaders(config);
}

/**
 * Next.js configuration with security headers
 */
export default {
  reactStrictMode: true,
  swcMinify: true,

  /**
   * Apply security headers to all routes
   */
  async headers() {
    const securityHdrs = getSecurityHeaders();

    return [
      {
        source: '/:path*',
        headers: securityHdrs,
      },
      // Additional security headers for API routes
      {
        source: '/api/:path*',
        headers: [
          ...securityHdrs,
          {
            key: 'X-API-Version',
            value: '1',
          },
        ],
      },
      // Cache headers for static assets
      {
        source: '/static/:path*',
        headers: [
          {
            key: 'Cache-Control',
            value: 'public, max-age=31536000, immutable',
          },
        ],
      },
    ];
  },

  /**
   * Redirect HTTP to HTTPS in production
   */
  async redirects() {
    if (!isProduction) {
      return [];
    }

    return [
      {
        source: '/:path*',
        has: [
          {
            type: 'header',
            key: 'x-forwarded-proto',
            value: '(?!https)',
          },
        ],
        destination: 'https://:host/:path*',
        permanent: true,
      },
    ];
  },

  /**
   * Security environment variables
   */
  env: {
    NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3000/api',
  },

  /**
   * Experimental security features (optional)
   */
  experimental: {
    // Enable instrumentation to monitor security events
    // instrumentationHook: true,
  },
};