rate limiting and api security enhancements

2024-09-10 13:47:16 +02:00
parent 88991c9de0
commit 158a8ca0bb
4 changed files with 195 additions and 0 deletions
--- a/middleware.ts
+++ b/middleware.ts
@@ -0,0 +1,40 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+export function middleware(request: NextRequest) {
+  const response = NextResponse.next()
+  
+  // CORS headers for browser extensions
+  if (request.method === 'OPTIONS') {
+    return new NextResponse(null, {
+      status: 200,
+      headers: {
+        'Access-Control-Allow-Origin': '*',
+        'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-API-Key',
+        'Access-Control-Max-Age': '86400'
+      }
+    })
+  }
+  
+  // Set CORS headers for actual requests
+  response.headers.set('Access-Control-Allow-Origin', '*')
+  response.headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
+  response.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-API-Key')
+  
+  // Security headers
+  response.headers.set('X-Content-Type-Options', 'nosniff')
+  response.headers.set('X-Frame-Options', 'DENY')
+  response.headers.set('X-XSS-Protection', '1; mode=block')
+  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
+  
+  return response
+}
+
+export const config = {
+  matcher: [
+    '/api/sources/:path*',
+    '/api/stats',
+    '/api/domains/:path*',
+    '/api/reports'
+  ]
+}