forked from blefnk/relivator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnext.config.mjs
187 lines (173 loc) · 6.12 KB
/
next.config.mjs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
/**
* Everything starts here. This is the main Next.js configuration file.
* @see https://nextjs.org/docs/app/building-your-application/configuring
*/
import createMDX from "@next/mdx";
// import million from "million/compiler";
import nextIntlPlugin from "next-intl/plugin";
import { createSecureHeaders } from "next-secure-headers";
import remarkGfm from "remark-gfm";
import ContentSecurityPolicy from "./src/core/cors/csp.mjs";
/**
* If you need, you can very dangerously run build or dev with SKIP_ENV_VALIDATION.
* It skips environment vars validation. This is especially useful for Docker builds.
* @example !process.env.SKIP_ENV_VALIDATION && (await import("./src/env.mjs"));
*/
await import("./src/env.mjs");
/**
* The whitelist list of domains,
* that are allowed to show media.
*/
const hostnames = [
"*.githubusercontent.com",
"*.googleusercontent.com",
"api.dicebear.com",
"cdn.discordapp.com",
"discordapp.com",
"githubusercontent.com",
"googleusercontent.com",
"i.imgur.com",
"images.unsplash.com",
"img.youtube.com",
"pbs.twimg.com",
"res.cloudinary.com",
"utfs.io",
"www.gravatar.com",
];
/** @type {import('next').NextConfig} */
const nextConfig = {
reactStrictMode: true,
swcMinify: true,
experimental: {
serverComponentsExternalPackages: ["mysql2"],
mdxRs: true,
},
images: {
formats: ["image/avif", "image/webp"],
remotePatterns: hostnames.map((hostname) => ({
protocol: "https",
hostname,
})),
contentSecurityPolicy:
process.env.NEXT_PUBLIC_CSP_XSS === "true"
? `default-src 'self'; frame-src 'none'; img-src 'https://*.googleusercontent.com'; font-src 'self', ${process.env.NEXT_PUBLIC_APP_URL}; sandbox;`
: undefined,
},
async headers() {
// todo: Please note: it is still experimental, so
// todo: NEXT_PUBLIC_CSP_XSS is "false" by default
if (process.env.NEXT_PUBLIC_CSP_XSS === "true") {
const headers = [];
// Prevent search engines from indexing the site if it is not live
// This is useful for staging environments before they are ready to go live
// To allow robots to crawl the site, use the NEXT_PUBLIC_IS_LIVE env variable
// You may want to also use this variable to conditionally render any tracking scripts
// @see https://github.com/payloadcms/payload/blob/main/templates/ecommerce/next.config.js
if (process.env.NEXT_PUBLIC_IS_LIVE === "false") {
headers.push({
headers: [
{
key: "X-Robots-Tag",
value: "noindex",
},
],
source: "/:path*",
});
}
// Set the Content-Security-Policy header as a security measure to prevent XSS attacks
// It works by explicitly whitelisting trusted sources of content for your website
// This will block all inline scripts and styles except for those that are allowed
// todo: @see src/core/cors/csp.mjs for more details | work in progress | not fully tested
// todo: make it more stable | currently too much things are allowed than needed
headers.push({
source: "/(.*)",
headers: [
{
key: "Content-Security-Policy",
// todo: looks like we need to specify some policies
// todo: here & some in images.contentSecurityPolicy
value: ContentSecurityPolicy,
},
{
key: "Access-Control-Allow-Credentials",
value: "true",
},
{
key: "Access-Control-Allow-Origin",
value: "*",
},
{
key: "Access-Control-Allow-Methods",
value: "GET,DELETE,PATCH,POST,PUT",
},
{
key: "Access-Control-Allow-Headers",
value:
"X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version",
},
],
});
// Note: to apply CSP changes while dev runtime,
// CTRL+S this file, to reload Next.js' server.
return headers;
} else {
// @see https://github.com/jagaapple/next-secure-headers
// default option: using next-secure-headers csp library
return [
{
source: "/(.*)",
headers: createSecureHeaders(),
},
];
}
},
//
// Dangerously allow builds to successfully complete
// even if your project has the types/eslint errors.
//
// [Good to know if you want to toggle because `next build` errors]:
// Next.js has built-in support for TypeScript, using its own plugin.
// But while you use `pnpm build`, it stops on the first type errors.
// So you can use `pnpm typecheck` to check all type warns/errors at once.
//
typescript: { ignoreBuildErrors: false },
eslint: { ignoreDuringBuilds: false },
};
/**
* Create a config wrapper required to integrate a modern Nextjs MDX support.
* @see https://nextjs.org/docs/app/building-your-application/configuring/mdx
*/
const withMDX = createMDX({ options: { remarkPlugins: [remarkGfm] } });
/**
* Create configuration wrapper required for using next-intl with React Server Components.
* @see https://next-intl-docs.vercel.app/docs/getting-started/app-router-server-components
*/
const withNextIntl = nextIntlPlugin(
// Specify a custom next-intl path
"./src/i18n.ts",
);
/**
* Send merged Next.js config to server.
* @see https://million.dev/docs/install
*/
// @ ts-expect-error ⚠️ v1.2.5
// export default million.next(withNextIntl(withMDX(nextConfig)), {
// auto: { rsc: true },
// });
export default withNextIntl(withMDX(nextConfig));
/* ========================================================== */
// For the Future Consideration
/* ========================================================== */
/**
* Navita: Atomic CSS-in-JS with zero runtime
* pnpm add @navita/css @navita/next-plugin
* @see https://navita.style
*/
// import { createNavitaStylePlugin } from "@navita/next-plugin";
// export default withNavita(withMDX(withNextIntl(nextConfig)));
// const withNavita = createNavitaStylePlugin({});
/**
* Panda: Type-Safe CSS-in-JS
* pnpm add -D @pandacss/dev
* @see https://panda-css.com
*/