Leon Serfaty
51c541ad22
Cross-cutting input-validation, isolation, and DoS-resistance fixes across the app, API, billing, queue, and infra layers. - Runtime validation (zod) for client-supplied admin actions (role/plan/ limits), series generation index, and all pg-boss queue payloads - Auth: require email verification before sign-in; reject weak/placeholder/ short BETTER_AUTH_SECRET in production - Billing: sanitize Stripe/PayPal errors (log server-side, generic to client); race-safe subscription upsert; only count "processed" webhook events as handled; verify org membership in getEffectivePlan to block plan escalation - Series generation: reserve usage up front and refund on failure; bill the owning org, not the caller's active org - Injection defenses: HTML-escape user fields in emails, strip CR/LF from subject/recipient, validate ElevenLabs voiceId before URL interpolation - Media routes: stream off disk instead of buffering whole files; rate-limit anonymous public audio/cover endpoints by client IP
46 lines
1.9 KiB
JavaScript
46 lines
1.9 KiB
JavaScript
/** @type {import('next').NextConfig} */
|
|
const nextConfig = {
|
|
// Standalone output so PM2 can run `node .next/standalone/server.js` on the Plesk VPS.
|
|
output: "standalone",
|
|
reactStrictMode: true,
|
|
eslint: {
|
|
// Lint is run as its own step in CI; don't fail production builds on lint.
|
|
ignoreDuringBuilds: true,
|
|
},
|
|
images: {
|
|
remotePatterns: [
|
|
// DALL·E asset URLs (OpenAI blob storage) used before they are persisted to local disk.
|
|
// Scoped to the single OpenAI host actually used — no broad *.blob.core.windows.net wildcard.
|
|
{ protocol: "https", hostname: "oaidalleapiprodscus.blob.core.windows.net" },
|
|
// Marketing imagery (features/about pages).
|
|
{ protocol: "https", hostname: "images.unsplash.com" },
|
|
],
|
|
},
|
|
// Server-only packages that should be required at runtime, not bundled by webpack.
|
|
// better-auth ships internal adapters (kysely) that break webpack's ESM analysis.
|
|
serverExternalPackages: ["pg-boss", "@prisma/client", "better-auth"],
|
|
// Static security headers applied to every route. The Content-Security-Policy is
|
|
// intentionally NOT set here — it is built per-request with a nonce in middleware.ts
|
|
// so script-src can drop 'unsafe-inline'/'unsafe-eval' (nonce + 'strict-dynamic').
|
|
async headers() {
|
|
return [
|
|
{
|
|
source: "/:path*",
|
|
headers: [
|
|
{ key: "X-Frame-Options", value: "DENY" },
|
|
{ key: "X-Content-Type-Options", value: "nosniff" },
|
|
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
|
|
{ key: "X-DNS-Prefetch-Control", value: "off" },
|
|
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
|
|
{
|
|
key: "Strict-Transport-Security",
|
|
value: "max-age=63072000; includeSubDomains; preload",
|
|
},
|
|
],
|
|
},
|
|
];
|
|
},
|
|
};
|
|
|
|
export default nextConfig;
|