@digilogiclabs/platform-core 1.2.0 → 1.4.0

package/dist/security-headers.d.mts

@@ -0,0 +1,75 @@
+/**
+ * Shared Security Headers Utility
+ * Generates consistent security headers for all Next.js apps.
+ * Zero heavy dependencies — pure utility function.
+ */
+interface SecurityHeadersConfig {
+    /** Enable Content-Security-Policy (default: true) */
+    csp?: boolean;
+    /** Additional allowed script-src domains */
+    cspScriptSrc?: string[];
+    /** Additional allowed connect-src domains */
+    cspConnectSrc?: string[];
+    /** Additional allowed frame-src domains */
+    cspFrameSrc?: string[];
+    /** Additional allowed style-src domains */
+    cspStyleSrc?: string[];
+    /** Additional allowed img-src domains */
+    cspImgSrc?: string[];
+    /** X-Frame-Options value (default: 'DENY') */
+    frameOptions?: "DENY" | "SAMEORIGIN";
+    /** Enable HSTS in production (default: true) */
+    hsts?: boolean;
+    /** HSTS max-age in seconds (default: 31536000 = 1 year) */
+    hstsMaxAge?: number;
+    /** Whether this is a production build (default: auto-detect from NODE_ENV) */
+    isProduction?: boolean;
+}
+interface NextHeaderEntry {
+    source: string;
+    headers: Array<{
+        key: string;
+        value: string;
+    }>;
+}
+declare const SecurityHeaderPresets: {
+    /** Minimal: basic headers only, no CSP */
+    readonly minimal: {
+        csp: false;
+        hsts: false;
+    };
+    /** Standard: full CSP + HSTS for most apps */
+    readonly standard: {
+        csp: true;
+        hsts: true;
+        frameOptions: "DENY";
+    };
+    /** Strict: deny all permissions, strict CSP, no frame embedding */
+    readonly strict: {
+        csp: true;
+        hsts: true;
+        hstsMaxAge: number;
+        frameOptions: "DENY";
+    };
+};
+/**
+ * Generate security headers array compatible with Next.js `headers()` config.
+ *
+ * Usage in next.config.mjs:
+ * ```js
+ * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');
+ *
+ * module.exports = {
+ *   async headers() {
+ *     return generateSecurityHeaders({
+ *       isProduction: process.env.NODE_ENV === 'production',
+ *       cspScriptSrc: ['https://js.stripe.com'],
+ *       cspConnectSrc: ['https://api.stripe.com'],
+ *     });
+ *   },
+ * };
+ * ```
+ */
+declare function generateSecurityHeaders(config?: SecurityHeadersConfig): NextHeaderEntry[];
+
+export { type NextHeaderEntry, SecurityHeaderPresets, type SecurityHeadersConfig, generateSecurityHeaders };

package/dist/security-headers.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Shared Security Headers Utility
+ * Generates consistent security headers for all Next.js apps.
+ * Zero heavy dependencies — pure utility function.
+ */
+interface SecurityHeadersConfig {
+    /** Enable Content-Security-Policy (default: true) */
+    csp?: boolean;
+    /** Additional allowed script-src domains */
+    cspScriptSrc?: string[];
+    /** Additional allowed connect-src domains */
+    cspConnectSrc?: string[];
+    /** Additional allowed frame-src domains */
+    cspFrameSrc?: string[];
+    /** Additional allowed style-src domains */
+    cspStyleSrc?: string[];
+    /** Additional allowed img-src domains */
+    cspImgSrc?: string[];
+    /** X-Frame-Options value (default: 'DENY') */
+    frameOptions?: "DENY" | "SAMEORIGIN";
+    /** Enable HSTS in production (default: true) */
+    hsts?: boolean;
+    /** HSTS max-age in seconds (default: 31536000 = 1 year) */
+    hstsMaxAge?: number;
+    /** Whether this is a production build (default: auto-detect from NODE_ENV) */
+    isProduction?: boolean;
+}
+interface NextHeaderEntry {
+    source: string;
+    headers: Array<{
+        key: string;
+        value: string;
+    }>;
+}
+declare const SecurityHeaderPresets: {
+    /** Minimal: basic headers only, no CSP */
+    readonly minimal: {
+        csp: false;
+        hsts: false;
+    };
+    /** Standard: full CSP + HSTS for most apps */
+    readonly standard: {
+        csp: true;
+        hsts: true;
+        frameOptions: "DENY";
+    };
+    /** Strict: deny all permissions, strict CSP, no frame embedding */
+    readonly strict: {
+        csp: true;
+        hsts: true;
+        hstsMaxAge: number;
+        frameOptions: "DENY";
+    };
+};
+/**
+ * Generate security headers array compatible with Next.js `headers()` config.
+ *
+ * Usage in next.config.mjs:
+ * ```js
+ * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');
+ *
+ * module.exports = {
+ *   async headers() {
+ *     return generateSecurityHeaders({
+ *       isProduction: process.env.NODE_ENV === 'production',
+ *       cspScriptSrc: ['https://js.stripe.com'],
+ *       cspConnectSrc: ['https://api.stripe.com'],
+ *     });
+ *   },
+ * };
+ * ```
+ */
+declare function generateSecurityHeaders(config?: SecurityHeadersConfig): NextHeaderEntry[];
+
+export { type NextHeaderEntry, SecurityHeaderPresets, type SecurityHeadersConfig, generateSecurityHeaders };

package/dist/security-headers.js

@@ -0,0 +1,137 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/security-headers.ts
+var security_headers_exports = {};
+__export(security_headers_exports, {
+  SecurityHeaderPresets: () => SecurityHeaderPresets,
+  generateSecurityHeaders: () => generateSecurityHeaders
+});
+module.exports = __toCommonJS(security_headers_exports);
+var SecurityHeaderPresets = {
+  /** Minimal: basic headers only, no CSP */
+  minimal: {
+    csp: false,
+    hsts: false
+  },
+  /** Standard: full CSP + HSTS for most apps */
+  standard: {
+    csp: true,
+    hsts: true,
+    frameOptions: "DENY"
+  },
+  /** Strict: deny all permissions, strict CSP, no frame embedding */
+  strict: {
+    csp: true,
+    hsts: true,
+    hstsMaxAge: 63072e3,
+    // 2 years
+    frameOptions: "DENY"
+  }
+};
+function generateSecurityHeaders(config = {}) {
+  const isProduction = config.isProduction ?? process.env.NODE_ENV === "production";
+  const frameOptions = config.frameOptions ?? "DENY";
+  const enableCsp = config.csp ?? true;
+  const enableHsts = config.hsts ?? true;
+  const hstsMaxAge = config.hstsMaxAge ?? 31536e3;
+  const baseHeaders = [
+    { key: "X-Frame-Options", value: frameOptions },
+    { key: "X-Content-Type-Options", value: "nosniff" },
+    // Modern browsers use CSP, not XSS-Protection. Value '0' disables the
+    // legacy filter which can itself introduce vulnerabilities.
+    { key: "X-XSS-Protection", value: "0" },
+    {
+      key: "Referrer-Policy",
+      value: "strict-origin-when-cross-origin"
+    },
+    {
+      key: "Permissions-Policy",
+      value: "camera=(), microphone=(), geolocation=()"
+    }
+  ];
+  const entries = [
+    { source: "/:path*", headers: baseHeaders }
+  ];
+  if (isProduction) {
+    const prodHeaders = [];
+    if (enableHsts) {
+      prodHeaders.push({
+        key: "Strict-Transport-Security",
+        value: `max-age=${hstsMaxAge}; includeSubDomains`
+      });
+    }
+    if (enableCsp) {
+      const csp = buildCsp(config);
+      prodHeaders.push({ key: "Content-Security-Policy", value: csp });
+    }
+    if (prodHeaders.length > 0) {
+      entries.push({ source: "/:path*", headers: prodHeaders });
+    }
+  }
+  return entries;
+}
+function buildCsp(config) {
+  const scriptSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "'unsafe-eval'",
+    ...config.cspScriptSrc ?? []
+  ];
+  const styleSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "https://fonts.googleapis.com",
+    ...config.cspStyleSrc ?? []
+  ];
+  const imgSrc = [
+    "'self'",
+    "data:",
+    "https:",
+    "blob:",
+    ...config.cspImgSrc ?? []
+  ];
+  const fontSrc = ["'self'", "data:", "https://fonts.gstatic.com"];
+  const connectSrc = ["'self'", ...config.cspConnectSrc ?? []];
+  const frameSrc = [...config.cspFrameSrc ?? []];
+  const directives = [
+    `default-src 'self'`,
+    `script-src ${scriptSrc.join(" ")}`,
+    `style-src ${styleSrc.join(" ")}`,
+    `img-src ${imgSrc.join(" ")}`,
+    `font-src ${fontSrc.join(" ")}`,
+    `connect-src ${connectSrc.join(" ")}`
+  ];
+  if (frameSrc.length > 0) {
+    directives.push(`frame-src ${frameSrc.join(" ")}`);
+  }
+  directives.push(
+    `object-src 'none'`,
+    `base-uri 'self'`,
+    `form-action 'self'`,
+    `frame-ancestors 'none'`
+  );
+  return directives.join("; ");
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  SecurityHeaderPresets,
+  generateSecurityHeaders
+});
+//# sourceMappingURL=security-headers.js.map

package/dist/security-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/security-headers.ts"],"sourcesContent":["/**\r\n * Shared Security Headers Utility\r\n * Generates consistent security headers for all Next.js apps.\r\n * Zero heavy dependencies — pure utility function.\r\n */\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// TYPES\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nexport interface SecurityHeadersConfig {\r\n  /** Enable Content-Security-Policy (default: true) */\r\n  csp?: boolean;\r\n  /** Additional allowed script-src domains */\r\n  cspScriptSrc?: string[];\r\n  /** Additional allowed connect-src domains */\r\n  cspConnectSrc?: string[];\r\n  /** Additional allowed frame-src domains */\r\n  cspFrameSrc?: string[];\r\n  /** Additional allowed style-src domains */\r\n  cspStyleSrc?: string[];\r\n  /** Additional allowed img-src domains */\r\n  cspImgSrc?: string[];\r\n  /** X-Frame-Options value (default: 'DENY') */\r\n  frameOptions?: \"DENY\" | \"SAMEORIGIN\";\r\n  /** Enable HSTS in production (default: true) */\r\n  hsts?: boolean;\r\n  /** HSTS max-age in seconds (default: 31536000 = 1 year) */\r\n  hstsMaxAge?: number;\r\n  /** Whether this is a production build (default: auto-detect from NODE_ENV) */\r\n  isProduction?: boolean;\r\n}\r\n\r\nexport interface NextHeaderEntry {\r\n  source: string;\r\n  headers: Array<{ key: string; value: string }>;\r\n}\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// PRESETS\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nexport const SecurityHeaderPresets = {\r\n  /** Minimal: basic headers only, no CSP */\r\n  minimal: {\r\n    csp: false,\r\n    hsts: false,\r\n  } satisfies SecurityHeadersConfig,\r\n\r\n  /** Standard: full CSP + HSTS for most apps */\r\n  standard: {\r\n    csp: true,\r\n    hsts: true,\r\n    frameOptions: \"DENY\",\r\n  } satisfies SecurityHeadersConfig,\r\n\r\n  /** Strict: deny all permissions, strict CSP, no frame embedding */\r\n  strict: {\r\n    csp: true,\r\n    hsts: true,\r\n    hstsMaxAge: 63072000, // 2 years\r\n    frameOptions: \"DENY\",\r\n  } satisfies SecurityHeadersConfig,\r\n} as const;\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// MAIN FUNCTION\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\n/**\r\n * Generate security headers array compatible with Next.js `headers()` config.\r\n *\r\n * Usage in next.config.mjs:\r\n * ```js\r\n * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');\r\n *\r\n * module.exports = {\r\n *   async headers() {\r\n *     return generateSecurityHeaders({\r\n *       isProduction: process.env.NODE_ENV === 'production',\r\n *       cspScriptSrc: ['https://js.stripe.com'],\r\n *       cspConnectSrc: ['https://api.stripe.com'],\r\n *     });\r\n *   },\r\n * };\r\n * ```\r\n */\r\nexport function generateSecurityHeaders(\r\n  config: SecurityHeadersConfig = {},\r\n): NextHeaderEntry[] {\r\n  const isProduction =\r\n    config.isProduction ?? process.env.NODE_ENV === \"production\";\r\n  const frameOptions = config.frameOptions ?? \"DENY\";\r\n  const enableCsp = config.csp ?? true;\r\n  const enableHsts = config.hsts ?? true;\r\n  const hstsMaxAge = config.hstsMaxAge ?? 31536000;\r\n\r\n  // Base headers applied to all routes in all environments\r\n  const baseHeaders: Array<{ key: string; value: string }> = [\r\n    { key: \"X-Frame-Options\", value: frameOptions },\r\n    { key: \"X-Content-Type-Options\", value: \"nosniff\" },\r\n    // Modern browsers use CSP, not XSS-Protection. Value '0' disables the\r\n    // legacy filter which can itself introduce vulnerabilities.\r\n    { key: \"X-XSS-Protection\", value: \"0\" },\r\n    {\r\n      key: \"Referrer-Policy\",\r\n      value: \"strict-origin-when-cross-origin\",\r\n    },\r\n    {\r\n      key: \"Permissions-Policy\",\r\n      value: \"camera=(), microphone=(), geolocation=()\",\r\n    },\r\n  ];\r\n\r\n  const entries: NextHeaderEntry[] = [\r\n    { source: \"/:path*\", headers: baseHeaders },\r\n  ];\r\n\r\n  // Production-only headers\r\n  if (isProduction) {\r\n    const prodHeaders: Array<{ key: string; value: string }> = [];\r\n\r\n    // HSTS\r\n    if (enableHsts) {\r\n      prodHeaders.push({\r\n        key: \"Strict-Transport-Security\",\r\n        value: `max-age=${hstsMaxAge}; includeSubDomains`,\r\n      });\r\n    }\r\n\r\n    // Content-Security-Policy\r\n    if (enableCsp) {\r\n      const csp = buildCsp(config);\r\n      prodHeaders.push({ key: \"Content-Security-Policy\", value: csp });\r\n    }\r\n\r\n    if (prodHeaders.length > 0) {\r\n      entries.push({ source: \"/:path*\", headers: prodHeaders });\r\n    }\r\n  }\r\n\r\n  return entries;\r\n}\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// CSP BUILDER\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nfunction buildCsp(config: SecurityHeadersConfig): string {\r\n  const scriptSrc = [\r\n    \"'self'\",\r\n    \"'unsafe-inline'\",\r\n    \"'unsafe-eval'\",\r\n    ...(config.cspScriptSrc ?? []),\r\n  ];\r\n\r\n  const styleSrc = [\r\n    \"'self'\",\r\n    \"'unsafe-inline'\",\r\n    \"https://fonts.googleapis.com\",\r\n    ...(config.cspStyleSrc ?? []),\r\n  ];\r\n\r\n  const imgSrc = [\r\n    \"'self'\",\r\n    \"data:\",\r\n    \"https:\",\r\n    \"blob:\",\r\n    ...(config.cspImgSrc ?? []),\r\n  ];\r\n\r\n  const fontSrc = [\"'self'\", \"data:\", \"https://fonts.gstatic.com\"];\r\n\r\n  const connectSrc = [\"'self'\", ...(config.cspConnectSrc ?? [])];\r\n\r\n  const frameSrc = [...(config.cspFrameSrc ?? [])];\r\n\r\n  const directives = [\r\n    `default-src 'self'`,\r\n    `script-src ${scriptSrc.join(\" \")}`,\r\n    `style-src ${styleSrc.join(\" \")}`,\r\n    `img-src ${imgSrc.join(\" \")}`,\r\n    `font-src ${fontSrc.join(\" \")}`,\r\n    `connect-src ${connectSrc.join(\" \")}`,\r\n  ];\r\n\r\n  if (frameSrc.length > 0) {\r\n    directives.push(`frame-src ${frameSrc.join(\" \")}`);\r\n  }\r\n\r\n  directives.push(\r\n    `object-src 'none'`,\r\n    `base-uri 'self'`,\r\n    `form-action 'self'`,\r\n    `frame-ancestors 'none'`,\r\n  );\r\n\r\n  return directives.join(\"; \");\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA0CO,IAAM,wBAAwB;AAAA;AAAA,EAEnC,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AAAA;AAAA,EAGA,UAAU;AAAA,IACR,KAAK;AAAA,IACL,MAAM;AAAA,IACN,cAAc;AAAA,EAChB;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA;AAAA,IACZ,cAAc;AAAA,EAChB;AACF;AAwBO,SAAS,wBACd,SAAgC,CAAC,GACd;AACnB,QAAM,eACJ,OAAO,gBAAgB,QAAQ,IAAI,aAAa;AAClD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,YAAY,OAAO,OAAO;AAChC,QAAM,aAAa,OAAO,QAAQ;AAClC,QAAM,aAAa,OAAO,cAAc;AAGxC,QAAM,cAAqD;AAAA,IACzD,EAAE,KAAK,mBAAmB,OAAO,aAAa;AAAA,IAC9C,EAAE,KAAK,0BAA0B,OAAO,UAAU;AAAA;AAAA;AAAA,IAGlD,EAAE,KAAK,oBAAoB,OAAO,IAAI;AAAA,IACtC;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,UAA6B;AAAA,IACjC,EAAE,QAAQ,WAAW,SAAS,YAAY;AAAA,EAC5C;AAGA,MAAI,cAAc;AAChB,UAAM,cAAqD,CAAC;AAG5D,QAAI,YAAY;AACd,kBAAY,KAAK;AAAA,QACf,KAAK;AAAA,QACL,OAAO,WAAW,UAAU;AAAA,MAC9B,CAAC;AAAA,IACH;AAGA,QAAI,WAAW;AACb,YAAM,MAAM,SAAS,MAAM;AAC3B,kBAAY,KAAK,EAAE,KAAK,2BAA2B,OAAO,IAAI,CAAC;AAAA,IACjE;AAEA,QAAI,YAAY,SAAS,GAAG;AAC1B,cAAQ,KAAK,EAAE,QAAQ,WAAW,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,QAAuC;AACvD,QAAM,YAAY;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,gBAAgB,CAAC;AAAA,EAC9B;AAEA,QAAM,WAAW;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,eAAe,CAAC;AAAA,EAC7B;AAEA,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,aAAa,CAAC;AAAA,EAC3B;AAEA,QAAM,UAAU,CAAC,UAAU,SAAS,2BAA2B;AAE/D,QAAM,aAAa,CAAC,UAAU,GAAI,OAAO,iBAAiB,CAAC,CAAE;AAE7D,QAAM,WAAW,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAE/C,QAAM,aAAa;AAAA,IACjB;AAAA,IACA,cAAc,UAAU,KAAK,GAAG,CAAC;AAAA,IACjC,aAAa,SAAS,KAAK,GAAG,CAAC;AAAA,IAC/B,WAAW,OAAO,KAAK,GAAG,CAAC;AAAA,IAC3B,YAAY,QAAQ,KAAK,GAAG,CAAC;AAAA,IAC7B,eAAe,WAAW,KAAK,GAAG,CAAC;AAAA,EACrC;AAEA,MAAI,SAAS,SAAS,GAAG;AACvB,eAAW,KAAK,aAAa,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACnD;AAEA,aAAW;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,WAAW,KAAK,IAAI;AAC7B;","names":[]}

package/dist/security-headers.mjs

@@ -0,0 +1,111 @@
+// src/security-headers.ts
+var SecurityHeaderPresets = {
+  /** Minimal: basic headers only, no CSP */
+  minimal: {
+    csp: false,
+    hsts: false
+  },
+  /** Standard: full CSP + HSTS for most apps */
+  standard: {
+    csp: true,
+    hsts: true,
+    frameOptions: "DENY"
+  },
+  /** Strict: deny all permissions, strict CSP, no frame embedding */
+  strict: {
+    csp: true,
+    hsts: true,
+    hstsMaxAge: 63072e3,
+    // 2 years
+    frameOptions: "DENY"
+  }
+};
+function generateSecurityHeaders(config = {}) {
+  const isProduction = config.isProduction ?? process.env.NODE_ENV === "production";
+  const frameOptions = config.frameOptions ?? "DENY";
+  const enableCsp = config.csp ?? true;
+  const enableHsts = config.hsts ?? true;
+  const hstsMaxAge = config.hstsMaxAge ?? 31536e3;
+  const baseHeaders = [
+    { key: "X-Frame-Options", value: frameOptions },
+    { key: "X-Content-Type-Options", value: "nosniff" },
+    // Modern browsers use CSP, not XSS-Protection. Value '0' disables the
+    // legacy filter which can itself introduce vulnerabilities.
+    { key: "X-XSS-Protection", value: "0" },
+    {
+      key: "Referrer-Policy",
+      value: "strict-origin-when-cross-origin"
+    },
+    {
+      key: "Permissions-Policy",
+      value: "camera=(), microphone=(), geolocation=()"
+    }
+  ];
+  const entries = [
+    { source: "/:path*", headers: baseHeaders }
+  ];
+  if (isProduction) {
+    const prodHeaders = [];
+    if (enableHsts) {
+      prodHeaders.push({
+        key: "Strict-Transport-Security",
+        value: `max-age=${hstsMaxAge}; includeSubDomains`
+      });
+    }
+    if (enableCsp) {
+      const csp = buildCsp(config);
+      prodHeaders.push({ key: "Content-Security-Policy", value: csp });
+    }
+    if (prodHeaders.length > 0) {
+      entries.push({ source: "/:path*", headers: prodHeaders });
+    }
+  }
+  return entries;
+}
+function buildCsp(config) {
+  const scriptSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "'unsafe-eval'",
+    ...config.cspScriptSrc ?? []
+  ];
+  const styleSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "https://fonts.googleapis.com",
+    ...config.cspStyleSrc ?? []
+  ];
+  const imgSrc = [
+    "'self'",
+    "data:",
+    "https:",
+    "blob:",
+    ...config.cspImgSrc ?? []
+  ];
+  const fontSrc = ["'self'", "data:", "https://fonts.gstatic.com"];
+  const connectSrc = ["'self'", ...config.cspConnectSrc ?? []];
+  const frameSrc = [...config.cspFrameSrc ?? []];
+  const directives = [
+    `default-src 'self'`,
+    `script-src ${scriptSrc.join(" ")}`,
+    `style-src ${styleSrc.join(" ")}`,
+    `img-src ${imgSrc.join(" ")}`,
+    `font-src ${fontSrc.join(" ")}`,
+    `connect-src ${connectSrc.join(" ")}`
+  ];
+  if (frameSrc.length > 0) {
+    directives.push(`frame-src ${frameSrc.join(" ")}`);
+  }
+  directives.push(
+    `object-src 'none'`,
+    `base-uri 'self'`,
+    `form-action 'self'`,
+    `frame-ancestors 'none'`
+  );
+  return directives.join("; ");
+}
+export {
+  SecurityHeaderPresets,
+  generateSecurityHeaders
+};
+//# sourceMappingURL=security-headers.mjs.map

package/dist/security-headers.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/security-headers.ts"],"sourcesContent":["/**\r\n * Shared Security Headers Utility\r\n * Generates consistent security headers for all Next.js apps.\r\n * Zero heavy dependencies — pure utility function.\r\n */\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// TYPES\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nexport interface SecurityHeadersConfig {\r\n  /** Enable Content-Security-Policy (default: true) */\r\n  csp?: boolean;\r\n  /** Additional allowed script-src domains */\r\n  cspScriptSrc?: string[];\r\n  /** Additional allowed connect-src domains */\r\n  cspConnectSrc?: string[];\r\n  /** Additional allowed frame-src domains */\r\n  cspFrameSrc?: string[];\r\n  /** Additional allowed style-src domains */\r\n  cspStyleSrc?: string[];\r\n  /** Additional allowed img-src domains */\r\n  cspImgSrc?: string[];\r\n  /** X-Frame-Options value (default: 'DENY') */\r\n  frameOptions?: \"DENY\" | \"SAMEORIGIN\";\r\n  /** Enable HSTS in production (default: true) */\r\n  hsts?: boolean;\r\n  /** HSTS max-age in seconds (default: 31536000 = 1 year) */\r\n  hstsMaxAge?: number;\r\n  /** Whether this is a production build (default: auto-detect from NODE_ENV) */\r\n  isProduction?: boolean;\r\n}\r\n\r\nexport interface NextHeaderEntry {\r\n  source: string;\r\n  headers: Array<{ key: string; value: string }>;\r\n}\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// PRESETS\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nexport const SecurityHeaderPresets = {\r\n  /** Minimal: basic headers only, no CSP */\r\n  minimal: {\r\n    csp: false,\r\n    hsts: false,\r\n  } satisfies SecurityHeadersConfig,\r\n\r\n  /** Standard: full CSP + HSTS for most apps */\r\n  standard: {\r\n    csp: true,\r\n    hsts: true,\r\n    frameOptions: \"DENY\",\r\n  } satisfies SecurityHeadersConfig,\r\n\r\n  /** Strict: deny all permissions, strict CSP, no frame embedding */\r\n  strict: {\r\n    csp: true,\r\n    hsts: true,\r\n    hstsMaxAge: 63072000, // 2 years\r\n    frameOptions: \"DENY\",\r\n  } satisfies SecurityHeadersConfig,\r\n} as const;\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// MAIN FUNCTION\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\n/**\r\n * Generate security headers array compatible with Next.js `headers()` config.\r\n *\r\n * Usage in next.config.mjs:\r\n * ```js\r\n * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');\r\n *\r\n * module.exports = {\r\n *   async headers() {\r\n *     return generateSecurityHeaders({\r\n *       isProduction: process.env.NODE_ENV === 'production',\r\n *       cspScriptSrc: ['https://js.stripe.com'],\r\n *       cspConnectSrc: ['https://api.stripe.com'],\r\n *     });\r\n *   },\r\n * };\r\n * ```\r\n */\r\nexport function generateSecurityHeaders(\r\n  config: SecurityHeadersConfig = {},\r\n): NextHeaderEntry[] {\r\n  const isProduction =\r\n    config.isProduction ?? process.env.NODE_ENV === \"production\";\r\n  const frameOptions = config.frameOptions ?? \"DENY\";\r\n  const enableCsp = config.csp ?? true;\r\n  const enableHsts = config.hsts ?? true;\r\n  const hstsMaxAge = config.hstsMaxAge ?? 31536000;\r\n\r\n  // Base headers applied to all routes in all environments\r\n  const baseHeaders: Array<{ key: string; value: string }> = [\r\n    { key: \"X-Frame-Options\", value: frameOptions },\r\n    { key: \"X-Content-Type-Options\", value: \"nosniff\" },\r\n    // Modern browsers use CSP, not XSS-Protection. Value '0' disables the\r\n    // legacy filter which can itself introduce vulnerabilities.\r\n    { key: \"X-XSS-Protection\", value: \"0\" },\r\n    {\r\n      key: \"Referrer-Policy\",\r\n      value: \"strict-origin-when-cross-origin\",\r\n    },\r\n    {\r\n      key: \"Permissions-Policy\",\r\n      value: \"camera=(), microphone=(), geolocation=()\",\r\n    },\r\n  ];\r\n\r\n  const entries: NextHeaderEntry[] = [\r\n    { source: \"/:path*\", headers: baseHeaders },\r\n  ];\r\n\r\n  // Production-only headers\r\n  if (isProduction) {\r\n    const prodHeaders: Array<{ key: string; value: string }> = [];\r\n\r\n    // HSTS\r\n    if (enableHsts) {\r\n      prodHeaders.push({\r\n        key: \"Strict-Transport-Security\",\r\n        value: `max-age=${hstsMaxAge}; includeSubDomains`,\r\n      });\r\n    }\r\n\r\n    // Content-Security-Policy\r\n    if (enableCsp) {\r\n      const csp = buildCsp(config);\r\n      prodHeaders.push({ key: \"Content-Security-Policy\", value: csp });\r\n    }\r\n\r\n    if (prodHeaders.length > 0) {\r\n      entries.push({ source: \"/:path*\", headers: prodHeaders });\r\n    }\r\n  }\r\n\r\n  return entries;\r\n}\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// CSP BUILDER\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nfunction buildCsp(config: SecurityHeadersConfig): string {\r\n  const scriptSrc = [\r\n    \"'self'\",\r\n    \"'unsafe-inline'\",\r\n    \"'unsafe-eval'\",\r\n    ...(config.cspScriptSrc ?? []),\r\n  ];\r\n\r\n  const styleSrc = [\r\n    \"'self'\",\r\n    \"'unsafe-inline'\",\r\n    \"https://fonts.googleapis.com\",\r\n    ...(config.cspStyleSrc ?? []),\r\n  ];\r\n\r\n  const imgSrc = [\r\n    \"'self'\",\r\n    \"data:\",\r\n    \"https:\",\r\n    \"blob:\",\r\n    ...(config.cspImgSrc ?? []),\r\n  ];\r\n\r\n  const fontSrc = [\"'self'\", \"data:\", \"https://fonts.gstatic.com\"];\r\n\r\n  const connectSrc = [\"'self'\", ...(config.cspConnectSrc ?? [])];\r\n\r\n  const frameSrc = [...(config.cspFrameSrc ?? [])];\r\n\r\n  const directives = [\r\n    `default-src 'self'`,\r\n    `script-src ${scriptSrc.join(\" \")}`,\r\n    `style-src ${styleSrc.join(\" \")}`,\r\n    `img-src ${imgSrc.join(\" \")}`,\r\n    `font-src ${fontSrc.join(\" \")}`,\r\n    `connect-src ${connectSrc.join(\" \")}`,\r\n  ];\r\n\r\n  if (frameSrc.length > 0) {\r\n    directives.push(`frame-src ${frameSrc.join(\" \")}`);\r\n  }\r\n\r\n  directives.push(\r\n    `object-src 'none'`,\r\n    `base-uri 'self'`,\r\n    `form-action 'self'`,\r\n    `frame-ancestors 'none'`,\r\n  );\r\n\r\n  return directives.join(\"; \");\r\n}\r\n"],"mappings":";AA0CO,IAAM,wBAAwB;AAAA;AAAA,EAEnC,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AAAA;AAAA,EAGA,UAAU;AAAA,IACR,KAAK;AAAA,IACL,MAAM;AAAA,IACN,cAAc;AAAA,EAChB;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA;AAAA,IACZ,cAAc;AAAA,EAChB;AACF;AAwBO,SAAS,wBACd,SAAgC,CAAC,GACd;AACnB,QAAM,eACJ,OAAO,gBAAgB,QAAQ,IAAI,aAAa;AAClD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,YAAY,OAAO,OAAO;AAChC,QAAM,aAAa,OAAO,QAAQ;AAClC,QAAM,aAAa,OAAO,cAAc;AAGxC,QAAM,cAAqD;AAAA,IACzD,EAAE,KAAK,mBAAmB,OAAO,aAAa;AAAA,IAC9C,EAAE,KAAK,0BAA0B,OAAO,UAAU;AAAA;AAAA;AAAA,IAGlD,EAAE,KAAK,oBAAoB,OAAO,IAAI;AAAA,IACtC;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,UAA6B;AAAA,IACjC,EAAE,QAAQ,WAAW,SAAS,YAAY;AAAA,EAC5C;AAGA,MAAI,cAAc;AAChB,UAAM,cAAqD,CAAC;AAG5D,QAAI,YAAY;AACd,kBAAY,KAAK;AAAA,QACf,KAAK;AAAA,QACL,OAAO,WAAW,UAAU;AAAA,MAC9B,CAAC;AAAA,IACH;AAGA,QAAI,WAAW;AACb,YAAM,MAAM,SAAS,MAAM;AAC3B,kBAAY,KAAK,EAAE,KAAK,2BAA2B,OAAO,IAAI,CAAC;AAAA,IACjE;AAEA,QAAI,YAAY,SAAS,GAAG;AAC1B,cAAQ,KAAK,EAAE,QAAQ,WAAW,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,QAAuC;AACvD,QAAM,YAAY;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,gBAAgB,CAAC;AAAA,EAC9B;AAEA,QAAM,WAAW;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,eAAe,CAAC;AAAA,EAC7B;AAEA,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,aAAa,CAAC;AAAA,EAC3B;AAEA,QAAM,UAAU,CAAC,UAAU,SAAS,2BAA2B;AAE/D,QAAM,aAAa,CAAC,UAAU,GAAI,OAAO,iBAAiB,CAAC,CAAE;AAE7D,QAAM,WAAW,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAE/C,QAAM,aAAa;AAAA,IACjB;AAAA,IACA,cAAc,UAAU,KAAK,GAAG,CAAC;AAAA,IACjC,aAAa,SAAS,KAAK,GAAG,CAAC;AAAA,IAC/B,WAAW,OAAO,KAAK,GAAG,CAAC;AAAA,IAC3B,YAAY,QAAQ,KAAK,GAAG,CAAC;AAAA,IAC7B,eAAe,WAAW,KAAK,GAAG,CAAC;AAAA,EACrC;AAEA,MAAI,SAAS,SAAS,GAAG;AACvB,eAAW,KAAK,aAAa,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACnD;AAEA,aAAW;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,WAAW,KAAK,IAAI;AAC7B;","names":[]}

package/dist/testing.d.mts

@@ -1,5 +1,5 @@
-import { I as IPlatform, M as MemoryDatabase, a as MemoryCache, b as MemoryStorage, c as MemoryEmail, d as MemoryQueue, e as IDatabase } from './ConsoleEmail-hUDFsKoA.mjs';
-export { C as ConsoleEmail, h as ConsoleLogger, t as EmailMessage, E as EnvSecrets, l as ICache, n as IEmail, p as ILogger, q as IMetrics, k as IQueryBuilder, o as IQueue, r as ISecrets, m as IStorage, J as Job, s as JobOptions, i as MemoryMetrics, f as MemorySecrets, N as NoopLogger, j as NoopMetrics, Q as QueryResult, S as StorageFile, g as createPlatform } from './ConsoleEmail-hUDFsKoA.mjs';
+import { I as IPlatform, M as MemoryDatabase, a as MemoryCache, b as MemoryStorage, c as MemoryEmail, d as MemoryQueue, e as IDatabase } from './ConsoleEmail-ubSVWgTa.mjs';
+export { C as ConsoleEmail, h as ConsoleLogger, t as EmailMessage, E as EnvSecrets, l as ICache, n as IEmail, p as ILogger, q as IMetrics, k as IQueryBuilder, o as IQueue, r as ISecrets, m as IStorage, J as Job, s as JobOptions, i as MemoryMetrics, f as MemorySecrets, N as NoopLogger, j as NoopMetrics, Q as QueryResult, S as StorageFile, g as createPlatform } from './ConsoleEmail-ubSVWgTa.mjs';
 import 'zod';
 
 /**

package/dist/testing.d.ts

@@ -1,5 +1,5 @@
-import { I as IPlatform, M as MemoryDatabase, a as MemoryCache, b as MemoryStorage, c as MemoryEmail, d as MemoryQueue, e as IDatabase } from './ConsoleEmail-hUDFsKoA.js';
-export { C as ConsoleEmail, h as ConsoleLogger, t as EmailMessage, E as EnvSecrets, l as ICache, n as IEmail, p as ILogger, q as IMetrics, k as IQueryBuilder, o as IQueue, r as ISecrets, m as IStorage, J as Job, s as JobOptions, i as MemoryMetrics, f as MemorySecrets, N as NoopLogger, j as NoopMetrics, Q as QueryResult, S as StorageFile, g as createPlatform } from './ConsoleEmail-hUDFsKoA.js';
+import { I as IPlatform, M as MemoryDatabase, a as MemoryCache, b as MemoryStorage, c as MemoryEmail, d as MemoryQueue, e as IDatabase } from './ConsoleEmail-ubSVWgTa.js';
+export { C as ConsoleEmail, h as ConsoleLogger, t as EmailMessage, E as EnvSecrets, l as ICache, n as IEmail, p as ILogger, q as IMetrics, k as IQueryBuilder, o as IQueue, r as ISecrets, m as IStorage, J as Job, s as JobOptions, i as MemoryMetrics, f as MemorySecrets, N as NoopLogger, j as NoopMetrics, Q as QueryResult, S as StorageFile, g as createPlatform } from './ConsoleEmail-ubSVWgTa.js';
 import 'zod';
 
 /**