vortex.dev/next.config.mjs at main · vortex-data/vortex.dev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
import { withPlausibleProxy } from "next-plausible";

// Start Velite automatically with Next.js (recommended approach)
const isDev = process.argv.indexOf("dev") !== -1;
const isBuild = process.argv.indexOf("build") !== -1;
if (!process.env.VELITE_STARTED && (isDev || isBuild)) {
  process.env.VELITE_STARTED = "1";
  const { build } = await import("velite");
  await build({ watch: isDev, clean: !isDev });
}

// MDXRenderer compiles velite-emitted JSX via `new Function(code)`, but it's
// a server component — the eval happens at build/SSR time on the server, so
// the browser never sees the dynamic code and CSP doesn't need 'unsafe-eval'.
//
// vercel.live (+ vercel.com / assets.vercel.com / wss://ws-us3.pusher.com) is
// the Vercel Live feedback toolbar, injected on preview deploys only. It's
// not loaded in production, so widening these directives doesn't broaden the
// prod attack surface — and a single static CSP is simpler than swapping
// headers per environment.
const csp = [
  "default-src 'self'",
  "script-src 'self' 'unsafe-inline' plausible.io va.vercel-scripts.com vercel.live",
  "style-src 'self' 'unsafe-inline' vercel.live",
  "img-src 'self' data: blob: vercel.live vercel.com",
  "font-src 'self' data: vercel.live assets.vercel.com",
  "connect-src 'self' plausible.io vitals.vercel-insights.com vercel.live wss://ws-us3.pusher.com",
  "worker-src 'self' blob:",
  "child-src 'self' blob:",
  "frame-src 'self' vercel.live",
  "frame-ancestors 'none'",
  "base-uri 'self'",
  "form-action 'self'",
  "object-src 'none'"
].join("; ");

// next-plausible v4 requires a `src` URL for the v2 Plausible script. When
// the env var is unset (e.g. local dev), skip the proxy wrapper entirely —
// `<PlausibleProvider>` in the app tree is also gated on the same env var.
const plausibleScriptSrc = process.env.NEXT_PUBLIC_PLAUSIBLE_SCRIPT_SRC;
const wrapWithPlausible = plausibleScriptSrc
  ? withPlausibleProxy({ src: plausibleScriptSrc })
  : (config) => config;

const nextConfig = wrapWithPlausible({
  turbopack: {
    root: import.meta.dirname
  },
  images: {
    formats: ["image/avif", "image/webp"]
  },
  async headers() {
    return [
      {
        source: "/(.*)",
        headers: [
          { key: "X-Content-Type-Options", value: "nosniff" },
          { key: "X-Frame-Options", value: "DENY" },
          {
            key: "Strict-Transport-Security",
            value: "max-age=63072000; includeSubDomains; preload"
          },
          {
            key: "Referrer-Policy",
            value: "strict-origin-when-cross-origin"
          },
          {
            key: "Permissions-Policy",
            value:
              "camera=(), microphone=(), geolocation=(), gyroscope=(), payment=(), usb=(), magnetometer=(), accelerometer=()"
          },
          { key: "Content-Security-Policy", value: csp }
        ]
      }
    ];
  },
  async redirects() {
    return [
      {
        source: "/code",
        destination: "https://github.com/vortex-data/vortex",
        permanent: true
      },
      {
        source: "/slack",
        destination:
          "https://join.slack.com/t/vortex-data/shared_invite/zt-3i4ian4du-mmm~~g9jdz2U_B0dA8CIEg",
        permanent: false
      }
    ];
  }
});

export default nextConfig;