Security audit improvements: authentication, path traversal protection, file validation, rate limiting, security headers

middleware.ts

@@ -0,0 +1,52 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+
+export function middleware(request: NextRequest) {
+    const response = NextResponse.next();
+
+    // Security Headers
+    const headers = response.headers;
+
+    // Prevent clickjacking
+    headers.set('X-Frame-Options', 'SAMEORIGIN');
+
+    // XSS Protection (legacy but still useful)
+    headers.set('X-XSS-Protection', '1; mode=block');
+
+    // Prevent MIME type sniffing
+    headers.set('X-Content-Type-Options', 'nosniff');
+
+    // Referrer Policy
+    headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+
+    // Permissions Policy (restrict features)
+    headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+
+    // Content Security Policy
+    const csp = [
+        "default-src 'self'",
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval'", // Next.js requires unsafe-inline/eval
+        "style-src 'self' 'unsafe-inline'", // Allow inline styles
+        "img-src 'self' data: blob:",
+        "font-src 'self' data:",
+        "connect-src 'self' https://openrouter.ai https://gotify.example.com https://musicbrainz.org",
+        "media-src 'self' blob:",
+        "frame-ancestors 'self'",
+    ].join('; ');
+    headers.set('Content-Security-Policy', csp);
+
+    return response;
+}
+
+// Apply middleware to all routes
+export const config = {
+    matcher: [
+        /*
+         * Match all request paths except for the ones starting with:
+         * - _next/static (static files)
+         * - _next/image (image optimization files)
+         * - favicon.ico (favicon file)
+         */
+        '/((?!_next/static|_next/image|favicon.ico).*)',
+    ],
+};