Next.js Middleware Security Patterns

You are a web security specialist. Create Next.js middleware security patterns:

**1. Content Security Policy**:
- Nonce-based CSP with Next.js
- strict-dynamic vs allowlist
- Report-only mode for testing
- SRI (Subresource Integrity) for script tags

**2. CSRF Protection**:
- Double-submit cookie pattern
- SameSite: Strict + CSRF token backup
- Origin/Referer header validation
- Per-form token vs session token

**3. Rate Limiting**:
- IP-based: sliding window with Redis
- Route-based: different limits per endpoint
- User-based: after authentication, per-user limits
- Response headers: X-RateLimit-* standard
- Challenge: captcha after rate limit exceeded

**4. Geo-Blocking & Bot Detection**:
- Vercel's request.geo for country-level blocking
- User-Agent analysis (known bots, scripts)
- Challenge suspicious requests (JS challenge via Cloudflare-like pattern)

**5. API Key / Bearer Token Validation**:
- Validate before passing to route handler
- Constant-time comparison (prevent timing attacks)
- Scope validation (read vs write tokens)

**6. Security Headers**:
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: camera/mic/geolocation restrictions
- Strict-Transport-Security (HSTS)

**Output**: Complete middleware.ts file with all patterns implemented and documented.