/** @type {import('next').NextConfig} */ const securityHeaders = [ { key: "Content-Security-Policy", value: [ "default-src 'self'", "script-src 'self' 'unsafe-eval' 'unsafe-inline'", "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com", "font-src 'self' https://fonts.gstatic.com", "img-src 'self' data: blob: https:", `connect-src 'self' ${process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8000'}`, "frame-src 'none'", "object-src 'none'", "base-uri 'self'", "form-action 'self'", ].join("; ") }, { key: "X-DNS-Prefetch-Control", value: "on" }, { key: "X-Frame-Options", value: "SAMEORIGIN" }, { key: "X-Content-Type-Options", value: "nosniff" }, { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" }, ]; const nextConfig = { output: "standalone", experimental: { serverActions: true, }, images: { domains: [(process.env.NEXT_PUBLIC_API_URL || 'localhost').replace(/^https?:\/\//, '').split(':')[0]], }, async headers() { return [ { source: "/(.*)", headers: securityHeaders, }, ]; }, }; module.exports = nextConfig;