import type { NextConfig } from 'next';
const nextConfig: NextConfig = {
// Security headers for all responses (MP1 Task 10.1)
async headers() {
return [
{
source: '/(.*)',
headers: [
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-XSS-Protection', value: '1; mode=block' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()' },
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains; preload' },
],
},
{
source: '/api/:path*',
headers: [
{ key: 'Content-Security-Policy', value: "default-src 'none'; frame-ancestors 'none'" },
// Cache-Control now set per-route in middleware (Task 17.6)
],
},
];
},
// Powered-by header removal
poweredByHeader: false,
};
export default nextConfig;
