585fdc6ab6
- Replace innerHTML/setHTML with DOM API (createElement/textContent/setDOMContent) to prevent XSS via user-controlled listing titles, URLs, and prices - Add Content-Security-Policy header to next.config.js with proper directives for Mapbox, API, images, workers, and frame-ancestors - Add X-CSRF-Token header to media upload fetch call, matching apiClient behavior Co-Authored-By: Paperclip <noreply@paperclip.ing>
46 lines
1.5 KiB
JavaScript
46 lines
1.5 KiB
JavaScript
/** @type {import('next').NextConfig} */
|
|
const nextConfig = {
|
|
reactStrictMode: true,
|
|
output: 'standalone',
|
|
images: {
|
|
remotePatterns: [
|
|
{
|
|
protocol: 'https',
|
|
hostname: '**',
|
|
},
|
|
],
|
|
},
|
|
async headers() {
|
|
return [
|
|
{
|
|
source: '/(.*)',
|
|
headers: [
|
|
{ key: 'X-Content-Type-Options', value: 'nosniff' },
|
|
{ key: 'X-Frame-Options', value: 'DENY' },
|
|
{ key: 'X-XSS-Protection', value: '1; mode=block' },
|
|
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
|
|
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=(self)' },
|
|
{
|
|
key: 'Content-Security-Policy',
|
|
value: [
|
|
"default-src 'self'",
|
|
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com",
|
|
"style-src 'self' 'unsafe-inline' https://api.mapbox.com",
|
|
"img-src 'self' data: blob: https://*.mapbox.com https://*.tiles.mapbox.com https:",
|
|
"font-src 'self' data:",
|
|
"connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com http://localhost:3001",
|
|
"worker-src 'self' blob:",
|
|
"child-src 'self' blob:",
|
|
"frame-ancestors 'none'",
|
|
"base-uri 'self'",
|
|
"form-action 'self'",
|
|
].join('; '),
|
|
},
|
|
],
|
|
},
|
|
];
|
|
},
|
|
};
|
|
|
|
module.exports = nextConfig;
|