46 lines
1.6 KiB
TypeScript
46 lines
1.6 KiB
TypeScript
import { NextResponse } from "next/server";
|
|
import type { NextRequest } from "next/server";
|
|
import { verifySessionAuth } from "@/lib/auth";
|
|
|
|
export function middleware(request: NextRequest) {
|
|
// For /manage and /editor routes, the pages handle their own authentication
|
|
// No middleware redirect needed - let the pages show login forms
|
|
|
|
// Add security headers to all responses
|
|
const response = NextResponse.next();
|
|
|
|
// Security headers (complementing next.config.ts headers)
|
|
response.headers.set("X-DNS-Prefetch-Control", "on");
|
|
response.headers.set("X-Frame-Options", "DENY");
|
|
response.headers.set("X-Content-Type-Options", "nosniff");
|
|
response.headers.set("X-XSS-Protection", "1; mode=block");
|
|
response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
|
|
response.headers.set(
|
|
"Permissions-Policy",
|
|
"camera=(), microphone=(), geolocation=()",
|
|
);
|
|
|
|
// Rate limiting headers for API routes
|
|
if (request.nextUrl.pathname.startsWith("/api/")) {
|
|
response.headers.set("X-RateLimit-Limit", "100");
|
|
response.headers.set("X-RateLimit-Remaining", "99");
|
|
}
|
|
|
|
return response;
|
|
}
|
|
|
|
export const config = {
|
|
matcher: [
|
|
/*
|
|
* Match all request paths except for the ones starting with:
|
|
* - api/email (email API routes)
|
|
* - api/health (health check)
|
|
* - _next/static (static files)
|
|
* - _next/image (image optimization files)
|
|
* - favicon.ico (favicon file)
|
|
* - api/auth (auth API routes - need to be processed)
|
|
*/
|
|
"/((?!api/email|api/health|_next/static|_next/image|favicon.ico|api/auth).*)",
|
|
],
|
|
};
|