Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
9d43e4b113af643d6d47b51a9f8f1a995237d5c2
CapaKraken/apps/web/next.config.ts
T
Hartmut 9d43e4b113 feat: ACN Application Security Standard V7.30 compliance (19/23 items) 
CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 14:16:39 +01:00

75 lines
2.6 KiB
TypeScript
Raw Blame History

import path from "path";
import type { NextConfig } from "next";
const nextConfig: NextConfig = {
output: "standalone",
devIndicators: false,
experimental: {
optimizePackageImports: ["recharts", "date-fns"],
},
transpilePackages: [
"@capakraken/api",
"@capakraken/db",
"@capakraken/engine",
"@capakraken/shared",
"@capakraken/staffing",
"@capakraken/ui",
],
typedRoutes: true,
async headers() {
return [
{
source: "/(.*)",
headers: [
{ key: "X-Frame-Options", value: "DENY" },
{ key: "X-Content-Type-Options", value: "nosniff" },
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
{ key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains" },
{ key: "Content-Security-Policy", value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https://generativelanguage.googleapis.com https://*.openai.com https://*.azure.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" },
{ key: "X-XSS-Protection", value: "0" },
],
},
{
source: "/auth/:path*",
headers: [
{ key: "Cache-Control", value: "no-store, no-cache, must-revalidate" },
{ key: "Pragma", value: "no-cache" },
],
},
];
},
// Webpack config (used by `next build` and `next dev` without --turbo)
webpack(config) {
config.resolve.alias = {
...config.resolve.alias,
"~": path.resolve(__dirname, "src"),
};
// Resolve .js imports to .ts/.tsx (TypeScript ESM convention)
config.resolve.extensionAlias = {
...config.resolve.extensionAlias,
".js": [".ts", ".tsx", ".js"],
".jsx": [".tsx", ".jsx"],
};
return config;
},
};
// Only wrap with Sentry in production — the worker.js crash in dev mode
// (vendor-chunks/lib/worker.js MODULE_NOT_FOUND) makes the dev server unstable
// Sentry only in production — dynamic import avoids side effects in dev
let exportedConfig: NextConfig = nextConfig;
if (process.env.NODE_ENV === "production") {
try {
const { withSentryConfig } = require("@sentry/nextjs");
exportedConfig = withSentryConfig(nextConfig, {
silent: true,
sourcemaps: { disable: true },
telemetry: false,
});
} catch {
// Sentry not available — use raw config
}
}
export default exportedConfig;
Reference in New Issue View Git Blame Copy Permalink