diff --git a/middleware.ts b/middleware.ts index b8cfa1a..61bb509 100644 --- a/middleware.ts +++ b/middleware.ts @@ -4,16 +4,6 @@ import { DOMAIN_NAME } from "@/config"; export const middleware = (request: NextRequest) => { const nonce = Buffer.from(crypto.randomUUID()).toString("base64"); - // Define allowed origins including Vercel deployment URLs - const VERCEL_URL = process.env.VERCEL_URL; - const allowedOrigins = [ - `https://${DOMAIN_NAME}`, - ...(VERCEL_URL ? [`https://${VERCEL_URL}`] : []), - process.env.NODE_ENV === "development" ? "http://localhost:3000" : "", - ].filter(Boolean); - - const origin = request.headers.get("origin"); - const cspHeader = ` default-src 'self'; script-src 'self' 'unsafe-inline' *.${DOMAIN_NAME} *.vercel-scripts.com *.googletagmanager.com; @@ -39,38 +29,8 @@ export const middleware = (request: NextRequest) => { headers: requestHeaders, }, }); - - // Set security headers response.headers.set("Content-Security-Policy", cspHeader); - // Set CORS headers only if origin is in allowed list - if (origin && allowedOrigins.includes(origin)) { - response.headers.set("Access-Control-Allow-Origin", origin); - response.headers.set("Access-Control-Allow-Credentials", "true"); - response.headers.set( - "Access-Control-Allow-Methods", - "GET,HEAD,POST,OPTIONS", - ); - response.headers.set( - "Access-Control-Allow-Headers", - "X-Requested-With,Content-Type,Authorization", - ); - } - - // Additional security headers - response.headers.set("X-DNS-Prefetch-Control", "on"); - response.headers.set( - "Strict-Transport-Security", - "max-age=63072000; includeSubDomains; preload", - ); - response.headers.set("X-Content-Type-Options", "nosniff"); - response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin"); - response.headers.set("X-Frame-Options", "SAMEORIGIN"); - response.headers.set( - "Permissions-Policy", - "camera=(), microphone=(), geolocation=()", - ); - return response; }; diff --git a/next.config.ts b/next.config.ts index 882b4b5..326a7a2 100644 --- a/next.config.ts +++ b/next.config.ts @@ -1,17 +1,9 @@ import type { NextConfig } from "next"; import { withContentlayer } from "next-contentlayer2"; -import { DOMAIN_NAME } from "@/config"; const nextConfig: NextConfig = { reactStrictMode: true, async headers() { - const VERCEL_URL = process.env.VERCEL_URL; - const allowedOrigins = [ - `https://${DOMAIN_NAME}`, - ...(VERCEL_URL ? [`https://${VERCEL_URL}`] : []), - process.env.NODE_ENV === "development" ? "http://localhost:3000" : "", - ].filter(Boolean); - return [ { source: "/(.*)", @@ -42,44 +34,7 @@ const nextConfig: NextConfig = { }, { key: "Referrer-Policy", - value: "strict-origin-when-cross-origin", - }, - { - key: "Access-Control-Allow-Origin", - value: allowedOrigins.join(","), - }, - { - key: "Access-Control-Allow-Methods", - value: "GET,HEAD,POST,OPTIONS", - }, - { - key: "Access-Control-Allow-Headers", - value: "X-Requested-With,Content-Type,Authorization", - }, - { - key: "Access-Control-Allow-Credentials", - value: "true", - }, - ], - }, - { - source: "/api/(.*)", - headers: [ - { - key: "Access-Control-Allow-Origin", - value: allowedOrigins.join(","), - }, - { - key: "Access-Control-Allow-Methods", - value: "GET,HEAD,POST,PUT,DELETE,OPTIONS", - }, - { - key: "Access-Control-Allow-Headers", - value: "X-Requested-With,Content-Type,Authorization", - }, - { - key: "Access-Control-Allow-Credentials", - value: "true", + value: "origin-when-cross-origin", }, ], },