beeta/frontend/svelte.config.js

import adapter from '@sveltejs/adapter-node';
import { vitePreprocess } from '@sveltejs/vite-plugin-svelte';

/** @type {import('@sveltejs/kit').Config} */
const config = {
    preprocess: vitePreprocess(),
    
    kit: {
        adapter: adapter({
            out: 'build',
            precompress: false
        }),
        
        csp: {
            mode: 'auto',
            directives: {
                'default-src': ["'self'"],
                'script-src': ["'self'", 'https://www.youtube.com'],
                // Note: 'unsafe-inline' required because Svelte uses inline styles for transitions and dynamic bindings
                'style-src': ["'self'", "'unsafe-inline'", 'https://cdnjs.cloudflare.com'],
                'img-src': ["'self'", 'data:', 'blob:', 'https://img.youtube.com', 'https://i.ytimg.com'],
                'font-src': ["'self'", 'data:', 'https://cdnjs.cloudflare.com'],
                'connect-src': [
                    "'self'",
                    'ws://*:*',       // Allow any WebSocket
                    'wss://*:*',      // Allow any secure WebSocket
                    'http://*:*',     // Allow any HTTP (for dev and streaming)
                    'https://*:*',    // Allow any HTTPS
                    'https://www.youtube.com'
                ],
                'media-src': ["'self'", 'blob:', 'http://*:*', 'https://*:*'],
                'frame-src': ["'self'", 'blob:', 'https://www.youtube.com'],
                'object-src': ["'none'"],
                'frame-ancestors': ["'none'"],
                'form-action': ["'self'"],
                'base-uri': ["'self'"]
            }
        },
        
        // Enable CSRF protection (default is true)
        csrf: {
            checkOrigin: true
        },
        
        // Environment variable configuration
        env: {
            publicPrefix: 'VITE_'  // This is already correct
        },
        
        // Ensure default appDir is used (don't override)
        // appDir: '_app' // This is the default, no need to set
        
        // Performance: prerender error pages
        prerender: {
            entries: ['/'],
            handleHttpError: ({ path, referrer, message }) => {
                // Log errors but don't fail build
                console.warn(`${path} (${referrer}) - ${message}`);
            }
        }
    }
};

export default config;