nextjs-app/next.config.js

/** @type {import('next').NextConfig} */
const path = require('path')

// Supabase project ID from env — no hardcoded values
const supabaseProjectId = (process.env.NEXT_PUBLIC_SUPABASE_URL || '')
  .match(/\/\/([^.]+)\.supabase\.co/)?.[1] || ''

const nextConfig = {
  reactStrictMode: true,
  images: {
    domains: supabaseProjectId ? [`${supabaseProjectId}.supabase.co`] : [],
  },
  // Monorepo workspace root (prevents warnings when multiple lockfiles exist)
  outputFileTracingRoot: path.join(__dirname, '..'),
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          {
            key: 'X-Frame-Options',
            value: 'DENY',
          },
          {
            key: 'X-Content-Type-Options',
            value: 'nosniff',
          },
          {
            key: 'Referrer-Policy',
            value: 'strict-origin-when-cross-origin',
          },
          {
            key: 'X-DNS-Prefetch-Control',
            value: 'on',
          },
          {
            key: 'Permissions-Policy',
            value: 'camera=(), microphone=(), geolocation=()',
          },
          {
            key: 'Content-Security-Policy',
            value: [
              "default-src 'self'",
              "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
              "style-src 'self' 'unsafe-inline'",
              `img-src 'self' data: blob: ${supabaseProjectId ? `https://${supabaseProjectId}.supabase.co` : ''}`.trim(),
              `connect-src 'self' ${supabaseProjectId ? `https://${supabaseProjectId}.supabase.co wss://${supabaseProjectId}.supabase.co` : ''} ${process.env.NEXT_PUBLIC_API_URL || ''}`.trim(),
              "font-src 'self'",
              "frame-ancestors 'none'",
              "base-uri 'self'",
              "form-action 'self'",
            ].join('; '),
          },
        ],
      },
    ]
  },
}

module.exports = nextConfig