next.config.mjs

/** @type {import('next').NextConfig} */
const nextConfig = {
  // Standalone output so PM2 can run `node .next/standalone/server.js` on the Plesk VPS.
  output: "standalone",
  reactStrictMode: true,
  eslint: {
    // Lint is run as its own step in CI; don't fail production builds on lint.
    ignoreDuringBuilds: true,
  },
  images: {
    remotePatterns: [
      // DALL·E asset URLs (OpenAI blob storage) used before they are persisted to local disk.
      // Scoped to the single OpenAI host actually used — no broad *.blob.core.windows.net wildcard.
      { protocol: "https", hostname: "oaidalleapiprodscus.blob.core.windows.net" },
      // Marketing imagery (features/about pages).
      { protocol: "https", hostname: "images.unsplash.com" },
    ],
  },
  // Server-only packages that should be required at runtime, not bundled by webpack.
  // better-auth ships internal adapters (kysely) that break webpack's ESM analysis.
  serverExternalPackages: ["pg-boss", "@prisma/client", "better-auth"],
  // Security headers applied to every route.
  async headers() {
    // Pragmatic CSP: Next.js's inline/runtime bootstrap currently requires
    // 'unsafe-inline'/'unsafe-eval' in script-src. Future improvement: tighten
    // to per-request nonces (and drop 'unsafe-*') once the app is migrated.
    const csp = [
      "default-src 'self'",
      "img-src 'self' data: https://*.blob.core.windows.net https://images.unsplash.com",
      "media-src 'self'",
      "style-src 'self' 'unsafe-inline'",
      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
      "connect-src 'self'",
      "frame-ancestors 'none'",
      "base-uri 'self'",
      "form-action 'self'",
    ].join("; ");
    return [
      {
        source: "/:path*",
        headers: [
          { key: "X-Frame-Options", value: "DENY" },
          { key: "X-Content-Type-Options", value: "nosniff" },
          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
          { key: "X-DNS-Prefetch-Control", value: "off" },
          { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
          {
            key: "Strict-Transport-Security",
            value: "max-age=63072000; includeSubDomains; preload",
          },
          { key: "Content-Security-Policy", value: csp },
        ],
      },
    ];
  },
};

export default nextConfig;
Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00			`/** @type {import('next').NextConfig} */`
			`const nextConfig = {`
			// Standalone output so PM2 can run `node .next/standalone/server.js` on the Plesk VPS.
			`output: "standalone",`
			`reactStrictMode: true,`
			`eslint: {`
			`// Lint is run as its own step in CI; don't fail production builds on lint.`
			`ignoreDuringBuilds: true,`
			`},`
			`images: {`
			`remotePatterns: [`
			`// DALL·E asset URLs (OpenAI blob storage) used before they are persisted to local disk.`
Comprehensive admin + user dashboards (production-ready) 2026-06-07 17:54:30 -04:00			`// Scoped to the single OpenAI host actually used — no broad *.blob.core.windows.net wildcard.`
Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00			`{ protocol: "https", hostname: "oaidalleapiprodscus.blob.core.windows.net" },`
Add comprehensive /features page + allow Unsplash imagery 2026-06-08 04:37:10 -04:00			`// Marketing imagery (features/about pages).`
			`{ protocol: "https", hostname: "images.unsplash.com" },`
Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00			`],`
			`},`
			`// Server-only packages that should be required at runtime, not bundled by webpack.`
			`// better-auth ships internal adapters (kysely) that break webpack's ESM analysis.`
			`serverExternalPackages: ["pg-boss", "@prisma/client", "better-auth"],`
Comprehensive admin + user dashboards (production-ready) 2026-06-07 17:54:30 -04:00			`// Security headers applied to every route.`
			`async headers() {`
			`// Pragmatic CSP: Next.js's inline/runtime bootstrap currently requires`
			`// 'unsafe-inline'/'unsafe-eval' in script-src. Future improvement: tighten`
			`// to per-request nonces (and drop 'unsafe-*') once the app is migrated.`
			`const csp = [`
			`"default-src 'self'",`
Add comprehensive /features page + allow Unsplash imagery 2026-06-08 04:37:10 -04:00			`"img-src 'self' data: https://*.blob.core.windows.net https://images.unsplash.com",`
Comprehensive admin + user dashboards (production-ready) 2026-06-07 17:54:30 -04:00			`"media-src 'self'",`
			`"style-src 'self' 'unsafe-inline'",`
			`"script-src 'self' 'unsafe-inline' 'unsafe-eval'",`
			`"connect-src 'self'",`
			`"frame-ancestors 'none'",`
			`"base-uri 'self'",`
			`"form-action 'self'",`
			`].join("; ");`
			`return [`
			`{`
			`source: "/:path*",`
			`headers: [`
			`{ key: "X-Frame-Options", value: "DENY" },`
			`{ key: "X-Content-Type-Options", value: "nosniff" },`
			`{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },`
			`{ key: "X-DNS-Prefetch-Control", value: "off" },`
			`{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },`
			`{`
			`key: "Strict-Transport-Security",`
			`value: "max-age=63072000; includeSubDomains; preload",`
			`},`
			`{ key: "Content-Security-Policy", value: csp },`
			`],`
			`},`
			`];`
			`},`
Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00			`};`

			`export default nextConfig;`