Skip to content

Commit f2e5d67

Browse files
waleedlatif1waleedlatif1
committed
fix(security): static assets not rendering
1 parent 503e07b commit f2e5d67

1 file changed

Lines changed: 25 additions & 125 deletions

File tree

sim/next.config.ts

Lines changed: 25 additions & 125 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,13 @@
11
import type { NextConfig } from 'next'
22

3-
// Check if we're building for standalone distribution
4-
const isStandaloneBuild = process.env.USE_LOCAL_STORAGE === 'true'
5-
63
const nextConfig: NextConfig = {
74
devIndicators: false,
8-
experimental: {
9-
sri: {
10-
algorithm: 'sha256'
11-
}
12-
},
135
images: {
146
domains: [
157
'avatars.githubusercontent.com',
168
'oaidalleapiprodscus.blob.core.windows.net',
179
'api.stability.ai',
18-
],
19-
// Enable static image optimization for standalone export
20-
unoptimized: isStandaloneBuild,
10+
]
2111
},
2212
// Always use 'standalone' output to support API routes
2313
output: 'standalone',
@@ -34,13 +24,10 @@ const nextConfig: NextConfig = {
3424
return config
3525
},
3626
// Only include headers when not building for standalone export
37-
...(isStandaloneBuild
38-
? {}
39-
: {
40-
async headers() {
41-
return [
42-
{
43-
// API routes CORS headers - keep no-cache for dynamic API endpoints
27+
async headers() {
28+
return [
29+
{
30+
// API routes CORS headers
4431
source: '/api/:path*',
4532
headers: [
4633
{ key: 'Access-Control-Allow-Credentials', value: 'true' },
@@ -57,110 +44,6 @@ const nextConfig: NextConfig = {
5744
value:
5845
'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version',
5946
},
60-
{
61-
key: 'Cache-Control',
62-
value: 'no-store, no-cache, must-revalidate, proxy-revalidate',
63-
},
64-
{
65-
key: 'Pragma',
66-
value: 'no-cache',
67-
},
68-
{
69-
key: 'Expires',
70-
value: '0',
71-
},
72-
{
73-
key: 'Surrogate-Control',
74-
value: 'no-store',
75-
},
76-
],
77-
},
78-
{
79-
// Static assets - long caching for better performance
80-
// This targets common static file extensions
81-
source: '/:path*.(js|css|svg|png|jpg|jpeg|gif|webp|avif|ico|woff|woff2|ttf|eot)',
82-
headers: [
83-
{
84-
key: 'Cache-Control',
85-
value: 'public, max-age=31536000, immutable',
86-
},
87-
{
88-
key: 'Vary',
89-
value: 'User-Agent',
90-
},
91-
],
92-
},
93-
{
94-
// HTML/dynamic content - use validation caching instead of no-cache
95-
source: '/:path*',
96-
has: [
97-
{
98-
type: 'header',
99-
key: 'Accept',
100-
value: '(.*text/html.*)',
101-
},
102-
],
103-
headers: [
104-
{
105-
key: 'X-Content-Type-Options',
106-
value: 'nosniff',
107-
},
108-
{
109-
key: 'X-Frame-Options',
110-
value: 'SAMEORIGIN',
111-
},
112-
{
113-
key: 'Content-Security-Policy',
114-
value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; object-src 'none'",
115-
},
116-
{
117-
key: 'Cache-Control',
118-
value: 'public, max-age=0, must-revalidate',
119-
},
120-
{
121-
key: 'Vary',
122-
value: 'User-Agent',
123-
},
124-
],
125-
},
126-
{
127-
// Apply security headers to all routes
128-
source: '/:path*',
129-
headers: [
130-
{
131-
key: 'X-Content-Type-Options',
132-
value: 'nosniff',
133-
},
134-
{
135-
key: 'X-Frame-Options',
136-
value: 'SAMEORIGIN',
137-
},
138-
{
139-
key: 'Content-Security-Policy',
140-
value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; object-src 'none'",
141-
},
142-
],
143-
},
144-
{
145-
// Dynamic routes containing user data - strict no caching
146-
source: '/w/:path*',
147-
headers: [
148-
{
149-
key: 'Cache-Control',
150-
value: 'private, no-store, no-cache, must-revalidate, proxy-revalidate',
151-
},
152-
{
153-
key: 'Pragma',
154-
value: 'no-cache',
155-
},
156-
{
157-
key: 'Expires',
158-
value: '0',
159-
},
160-
{
161-
key: 'Surrogate-Control',
162-
value: 'no-store',
163-
},
16447
],
16548
},
16649
{
@@ -187,9 +70,26 @@ const nextConfig: NextConfig = {
18770
},
18871
],
18972
},
73+
// Apply security headers to all routes
74+
{
75+
source: '/:path*',
76+
headers: [
77+
{
78+
key: 'X-Content-Type-Options',
79+
value: 'nosniff',
80+
},
81+
{
82+
key: 'X-Frame-Options',
83+
value: 'SAMEORIGIN',
84+
},
85+
{
86+
key: 'Content-Security-Policy',
87+
value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; object-src 'none'",
88+
},
89+
],
90+
},
19091
]
191-
},
192-
}),
92+
},
19393
}
19494

195-
export default nextConfig
95+
export default nextConfig

0 commit comments

Comments
 (0)