/** @type {import('next').NextConfig} */ // HTTP Security Headers // 'unsafe-eval' is configured under `script-src` because it is required by NextJS for development mode const cspHeader = ` default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com https://www.googletagmanager.com; connect-src 'self' https://api.iconify.design https://api.simplesvg.com https://api.unisvg.com https://js.stripe.com https://www.googletagmanager.com; img-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; font-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://js.stripe.com https://www.googletagmanager.com; frame-ancestors 'none'; `; module.exports = { poweredByHeader: false, // Use standalone only in production deployments, not for CI/testing ...(process.env.NODE_ENV === "production" && !process.env.CI && { output: "standalone", outputFileTracingRoot: __dirname, }), experimental: { reactCompiler: true, }, turbopack: { root: __dirname, }, async headers() { return [ { source: "/(.*)", headers: [ { key: "Content-Security-Policy", value: cspHeader.replace(/\n/g, ""), }, { key: "X-Content-Type-Options", value: "nosniff", }, { key: "Referrer-Policy", value: "strict-origin-when-cross-origin", }, ], }, ]; }, };