akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
75044c8d9b601c559c1e1e4d397fc5fd2caccc85
caddy-proxy-manager/next.config.mjs
fuomag9 75044c8d9b fix: harden security post-review (JWT exposure, rate limiter, token expiry, timing) 
- Raw JWT never sent to browser: page.tsx uses peekLinkingToken (read-only),
  client sends opaque linkingId, API calls retrieveLinkingToken server-side
- link-account rate limiter now uses isRateLimited/registerFailedAttempt/
  resetAttempts correctly (count only failures, reset on success)
- linking_tokens gains expiresAt column (indexed) + opportunistic expiry
  purge on insert to prevent unbounded table growth
- secureTokenCompare fixed: pad+slice to expected length so timing is
  constant regardless of submitted token length (no length leak)
- autoLinkOAuth uses config.oauth.allowAutoLinking (boolean) instead of
  process.env truthy check that mishandles OAUTH_ALLOW_AUTO_LINKING=false
- Add Permissions-Policy header; restore X-Frame-Options for legacy UAs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-25 20:58:21 +01:00

45 lines
1.5 KiB
JavaScript
Raw Blame History

import { fileURLToPath } from 'node:url';
/** @type {import('next').NextConfig} */
const nextConfig = {
experimental: {
serverActions: {
bodySizeLimit: '2mb'
}
},
output: 'standalone',
async headers() {
const isDev = process.env.NODE_ENV === "development";
return [
{
// Applied to all routes; API routes get no-op CSP but benefit from other headers
source: "/(.*)",
headers: [
{ key: "X-Content-Type-Options", value: "nosniff" },
// X-Frame-Options kept for legacy browsers that don't support frame-ancestors CSP directive
{ key: "X-Frame-Options", value: "DENY" },
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=(), interest-cohort=()" },
{
key: "Content-Security-Policy",
value: [
"default-src 'self'",
// unsafe-eval/unsafe-inline required only for Next.js HMR in development
isDev
? "script-src 'self' 'unsafe-inline' 'unsafe-eval'"
: "script-src 'self' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
"font-src 'self' https://fonts.gstatic.com",
"img-src 'self' data: blob:",
"connect-src 'self'",
"frame-ancestors 'none'",
].join("; "),
},
],
},
];
},
};
export default nextConfig;
Reference in New Issue View Git Blame Copy Permalink