import { NextRequest, NextResponse } from "next/server"; import { locales, defaultLocale } from "@/lib/i18n/config"; const COOKIE = "NEXT_LOCALE"; const SECURITY_HEADERS: Record = { "X-Frame-Options": "DENY", "X-Content-Type-Options": "nosniff", "Referrer-Policy": "strict-origin-when-cross-origin", "Permissions-Policy": "camera=(), microphone=(), geolocation=(), interest-cohort=()", "Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload", }; function applySecurityHeaders(res: NextResponse): NextResponse { for (const [k, v] of Object.entries(SECURITY_HEADERS)) res.headers.set(k, v); return res; } function detectLocale(req: NextRequest): string { // 1. Cookie const cookie = req.cookies.get(COOKIE)?.value; if (cookie && (locales as readonly string[]).includes(cookie)) return cookie; // 2. Accept-Language header — match against all shipped locales const accept = req.headers.get("accept-language") ?? ""; if (accept) { const preferred = accept.split(",").map((s) => s.split(";")[0].trim().split("-")[0].toLowerCase()); for (const lang of preferred) { if ((locales as readonly string[]).includes(lang)) return lang; } } return defaultLocale; } export function middleware(req: NextRequest) { const { pathname } = req.nextUrl; // Skip API routes, static files, _next, and the dot-less metadata route // for the shared OG image (but still apply security headers). if ( pathname.startsWith("/api/") || pathname.startsWith("/_next/") || pathname === "/opengraph-image" || pathname.includes(".") ) { return applySecurityHeaders(NextResponse.next()); } // Check if locale is already in path const seg = pathname.split("/")[1]; if (locales.includes(seg as typeof locales[number])) { const res = NextResponse.next(); res.cookies.set(COOKIE, seg, { path: "/", maxAge: 60 * 60 * 24 * 365 }); return applySecurityHeaders(res); } // Redirect bare paths to detected locale const locale = detectLocale(req); const url = req.nextUrl.clone(); url.pathname = `/${locale}${pathname}`; const res = NextResponse.redirect(url); res.cookies.set(COOKIE, locale, { path: "/", maxAge: 60 * 60 * 24 * 365 }); return applySecurityHeaders(res); } export const config = { // Match everything so security headers apply globally; the function // bypasses redirect/locale logic for /_next, /api, and dotted paths. matcher: ["/:path*"], };