src/middleware.ts

import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
    const response = NextResponse.next()
    const { pathname } = request.nextUrl

    // Add security nonce for inline scripts (if needed in future)
    // const nonce = crypto.randomUUID()
    // response.headers.set('x-nonce', nonce)

    // Add Timing-Allow-Origin for Web Vitals measurement
    response.headers.set('Timing-Allow-Origin', '*')

    // Prevent clickjacking on sensitive pages
    if (pathname.startsWith('/dashboard') || pathname.startsWith('/settings')) {
        response.headers.set('X-Frame-Options', 'DENY')
    }

    // Set cache headers for public static-ish pages
    if (pathname === '/about' || pathname === '/pricing' || pathname === '/terms' || pathname === '/privacy') {
        response.headers.set('Cache-Control', 'public, s-maxage=3600, stale-while-revalidate=86400')
    }

    return response
}

export const config = {
    matcher: [
        /*
         * Match all request paths except:
         * - _next/static (static files)
         * - _next/image (image optimization)
         * - favicon.ico (favicon)
         * - public folder static files
         */
        '/((?!_next/static|_next/image|favicon.ico|logos|sw.js|.*\\..*$).*)',
    ],
}