/** * Next.js Middleware * * Applies security headers to all routes. * Runs on every request before the page/API route is executed. * * Security Features: * - Security headers for all responses * - CORS configuration (if needed) * * OWASP Compliance: * - A05:2021 (Security Misconfiguration) - Security headers */ import { NextResponse } from 'next/server' import type { NextRequest } from 'next/server' import { addSecurityHeaders } from './lib/security/headers' export function middleware(request: NextRequest) { // Create response const response = NextResponse.next() // Add security headers to all responses return addSecurityHeaders(response) } // Apply middleware to all routes export const config = { matcher: [ /* * Match all request paths except for the ones starting with: * - _next/static (static files) * - _next/image (image optimization files) * - favicon.ico (favicon file) * - public folder files */ // Exclude static assets (include css/js so CSP middleware never touches them on odd paths) '/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico|css|js|woff2?)$).*)', ], }