security: add headers, fetch timeouts, Retry-After cap, env validation

- next.config.ts: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy - sixflags.ts: cap Retry-After at 5 min; add 15s AbortSignal.timeout() - queuetimes.ts: add 10s AbortSignal.timeout() - rcdb.ts: add 15s AbortSignal.timeout() - lib/env.ts: parseStalenessHours() guards against NaN from invalid env vars - db.ts + park-meta.ts: use parseStalenessHours() for staleness window config Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-04 17:13:01 -04:00
parent e1b0e5e44d
commit 6bb35d468f
7 changed files with 46 additions and 7 deletions
--- a/next.config.ts
+++ b/next.config.ts
@@ -1,9 +1,34 @@
 import type { NextConfig } from "next";

+const CSP = [
+  "default-src 'self'",
+  "script-src 'self' 'unsafe-inline'",  // Next.js requires unsafe-inline for hydration
+  "style-src 'self' 'unsafe-inline'",
+  "img-src 'self' data:",
+  "font-src 'self'",
+  "connect-src 'self' https://queue-times.com",
+  "frame-ancestors 'none'",
+].join("; ");
+
 const nextConfig: NextConfig = {
  // better-sqlite3 is a native module — must not be bundled by webpack
  serverExternalPackages: ["better-sqlite3"],
  output: "standalone",
+
+  async headers() {
+    return [
+      {
+        source: "/(.*)",
+        headers: [
+          { key: "X-Content-Type-Options", value: "nosniff" },
+          { key: "X-Frame-Options",        value: "DENY" },
+          { key: "Referrer-Policy",        value: "strict-origin-when-cross-origin" },
+          { key: "Permissions-Policy",     value: "geolocation=(), microphone=(), camera=()" },
+          { key: "Content-Security-Policy", value: CSP },
+        ],
+      },
+    ];
+  },
 };

 export default nextConfig;