Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
8429bd86d4fbb71b0b060245c21de717f0187606
CapaKraken/apps/web/next.config.ts
T
Hartmut 0e119cfe73 security: close audit findings #19–#23 and harden Docker setup (#24) 
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request

#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
    run db:migrate:deploy on container start so a fresh checkout boots without manual steps

Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 18:19:21 +02:00

99 lines
3.7 KiB
TypeScript
Raw Blame History

import path from "path";
import type { NextConfig } from "next";
const nextConfig: NextConfig = {
distDir: process.env.NEXT_DIST_DIR ?? ".next",
output: "standalone",
outputFileTracingRoot: path.resolve(__dirname, "../.."),
devIndicators: false,
experimental: {
optimizePackageImports: ["recharts", "date-fns"],
},
transpilePackages: [
"@capakraken/api",
"@capakraken/db",
"@capakraken/engine",
"@capakraken/shared",
"@capakraken/staffing",
"@capakraken/ui",
],
typedRoutes: true,
async headers() {
return [
{
source: "/(.*)",
headers: [
{ key: "X-Frame-Options", value: "DENY" },
{ key: "X-Content-Type-Options", value: "nosniff" },
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
{ key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains" },
{
key: "Content-Security-Policy",
value: process.env.NODE_ENV === "production"
// Production: no unsafe-eval, no unsafe-inline in script-src
? "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://generativelanguage.googleapis.com https://*.openai.com https://*.azure.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
// Development: allow unsafe-eval and unsafe-inline for HMR / dev tooling
: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https://generativelanguage.googleapis.com https://*.openai.com https://*.azure.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'",
},
{ key: "X-XSS-Protection", value: "0" },
],
},
{
source: "/auth/:path*",
headers: [
{ key: "Cache-Control", value: "no-store, no-cache, must-revalidate" },
{ key: "Pragma", value: "no-cache" },
],
},
{
source: "/api/:path*",
headers: [
{ key: "Cache-Control", value: "no-store" },
{ key: "X-Content-Type-Options", value: "nosniff" },
],
},
{
// Catch-all for error pages and any remaining routes
source: "/:path*",
headers: [
{ key: "Cache-Control", value: "no-store, no-cache, must-revalidate" },
{ key: "Pragma", value: "no-cache" },
],
},
];
},
// Webpack config (used by `next build` and `next dev` without --turbo)
webpack(config) {
config.resolve.alias = {
...config.resolve.alias,
"~": path.resolve(__dirname, "src"),
};
// Resolve .js imports to .ts/.tsx (TypeScript ESM convention)
config.resolve.extensionAlias = {
...config.resolve.extensionAlias,
".js": [".ts", ".tsx", ".js"],
".jsx": [".tsx", ".jsx"],
};
return config;
},
};
// Only wrap with Sentry in production — the worker.js crash in dev mode
// (vendor-chunks/lib/worker.js MODULE_NOT_FOUND) makes the dev server unstable
// Sentry only in production — dynamic import avoids side effects in dev
let exportedConfig: NextConfig = nextConfig;
if (process.env.NODE_ENV === "production") {
try {
const { withSentryConfig } = require("@sentry/nextjs");
exportedConfig = withSentryConfig(nextConfig, {
silent: true,
sourcemaps: { disable: true },
telemetry: false,
});
} catch {
// Sentry not available — use raw config
}
}
export default exportedConfig;
Reference in New Issue View Git Blame Copy Permalink