denshooter/portfolio
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
08315433d150d3c6e702b23f89d1c89efdb20453
portfolio/middleware.ts
denshooter 60ea4e99be
All checks were successful
Gitea CI / test-build (push) Successful in 11m8s
Details
chore: remove Sentry integration 
Remove @sentry/nextjs and all related files since it was never actively used.
- Delete sentry.server.config.ts, sentry.edge.config.ts
- Delete sentry-example-page and sentry-example-api routes
- Clean up instrumentation.ts, global-error.tsx, middleware.ts
- Remove Sentry env vars from env.example and docs
- Update CLAUDE.md, copilot-instructions.md, PRODUCTION_READINESS.md

Middleware bundle reduced from 86KB to 34.8KB (-51KB).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-04 13:00:34 +01:00

161 lines
5.0 KiB
TypeScript
Raw Blame History

import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";
const SUPPORTED_LOCALES = ["en", "de"] as const;
type SupportedLocale = (typeof SUPPORTED_LOCALES)[number];
// Security: Block common malicious file patterns
const BLOCKED_PATTERNS = [
/\.php$/i,
/\.asp$/i,
/\.aspx$/i,
/\.jsp$/i,
/\.cgi$/i,
/\.env$/i,
/\.sql$/i,
/\.gz$/i,
/\.tar$/i,
/\.zip$/i,
/\.rar$/i,
/\.bash_history$/i,
/ftpsync\.settings$/i,
/__MACOSX/i,
/\.well-known\.zip$/i,
];
function isBlockedPath(pathname: string): boolean {
return BLOCKED_PATTERNS.some((pattern) => pattern.test(pathname));
}
function pickLocaleFromHeader(acceptLanguage: string | null): SupportedLocale {
if (!acceptLanguage) return "en";
const lower = acceptLanguage.toLowerCase();
// Very small parser: prefer de, then en
if (lower.includes("de")) return "de";
if (lower.includes("en")) return "en";
return "en";
}
function hasLocalePrefix(pathname: string): boolean {
return SUPPORTED_LOCALES.some((l) => pathname === `/${l}` || pathname.startsWith(`/${l}/`));
}
export function middleware(request: NextRequest) {
const { pathname, search } = request.nextUrl;
// Security: Block malicious/suspicious requests immediately
if (isBlockedPath(pathname)) {
return new NextResponse(null, { status: 404 });
}
// If a locale-prefixed request hits a public asset path (e.g. /de/images/me.jpg),
// redirect to the non-prefixed asset path.
if (hasLocalePrefix(pathname)) {
const rest = pathname.replace(/^\/(en|de)/, "") || "/";
if (rest.includes(".")) {
const responseUrl = request.nextUrl.clone();
responseUrl.pathname = rest;
const res = NextResponse.redirect(responseUrl);
return addHeaders(request, res);
}
}
// Do not locale-route public assets (anything with a dot), robots, sitemap, etc.
if (pathname.includes(".")) {
return addHeaders(request, NextResponse.next());
}
// Keep admin + APIs unlocalized for simplicity
const isAdminOrApi =
pathname.startsWith("/api/") ||
pathname === "/api" ||
pathname.startsWith("/manage") ||
pathname.startsWith("/editor");
// Locale routing for public site pages
const responseUrl = request.nextUrl.clone();
if (!isAdminOrApi) {
if (hasLocalePrefix(pathname)) {
// Persist locale preference
const locale = pathname.split("/")[1] as SupportedLocale;
const res = NextResponse.next();
res.cookies.set("NEXT_LOCALE", locale, { path: "/" });
// Continue below to add security headers
return addHeaders(request, res);
}
// Add locale prefix: rewrite root path (avoids redirect roundtrip), redirect others
const preferred = pickLocaleFromHeader(request.headers.get("accept-language"));
if (pathname === "/") {
responseUrl.pathname = `/${preferred}`;
const res = NextResponse.rewrite(responseUrl);
res.cookies.set("NEXT_LOCALE", preferred, { path: "/" });
return addHeaders(request, res);
}
responseUrl.pathname = `/${preferred}${pathname}${search || ""}`;
const res = NextResponse.redirect(responseUrl);
res.cookies.set("NEXT_LOCALE", preferred, { path: "/" });
return addHeaders(request, res);
}
// Fix for 421 Misdirected Request with Nginx Proxy Manager
// Ensure proper host header handling for reverse proxy
const hostname = request.headers.get("host") || request.headers.get("x-forwarded-host") || "";
// Add security headers to all responses
const response = NextResponse.next();
return addHeaders(request, response, hostname);
}
function addHeaders(request: NextRequest, response: NextResponse, hostnameOverride?: string) {
const hostname =
hostnameOverride ??
request.headers.get("host") ??
request.headers.get("x-forwarded-host") ??
"";
// Set proper headers for Nginx Proxy Manager
if (hostname) {
response.headers.set("X-Forwarded-Host", hostname);
response.headers.set(
"X-Real-IP",
request.headers.get("x-real-ip") || request.headers.get("x-forwarded-for") || "",
);
}
// Security headers (complementing next.config.ts headers)
response.headers.set("X-DNS-Prefetch-Control", "on");
response.headers.set("X-Frame-Options", "DENY");
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("X-XSS-Protection", "1; mode=block");
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
response.headers.set(
"Permissions-Policy",
"camera=(), microphone=(), geolocation=()",
);
// Rate limiting headers for API routes
if (request.nextUrl.pathname.startsWith("/api/")) {
response.headers.set("X-RateLimit-Limit", "100");
response.headers.set("X-RateLimit-Remaining", "99");
}
return response;
}
export const config = {
matcher: [
/*
* Match all request paths except for the ones starting with:
* - api (all API routes)
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
*/
"/((?!api|_next/static|_next/image|favicon.ico).*)",
],
};
Reference in New Issue View Git Blame Copy Permalink