Compare commits

..

1 Commits

Author SHA1 Message Date
ruinivist 9ab0a350ec feat: add http security headers to caddyfile 2026-06-06 08:30:04 +00:00
4 changed files with 30 additions and 31 deletions
-4
View File
@@ -1,4 +0,0 @@
## 2025-06-03 - Avoid TextEncoder for string byte length
**Learning:** `new TextEncoder().encode(text).byteLength` allocates a `Uint8Array` for the entire string, which causes significant memory allocations and is ~100x slower for large JSON payloads in Bun/Node.
**Action:** Use `Buffer.byteLength(text)` when available (with a fallback to `TextEncoder` for browser compatibility) to compute string byte lengths without memory allocation overhead.
+4
View File
@@ -0,0 +1,4 @@
## 2024-06-06 - Missing HTTP Security Headers
**Vulnerability:** The Caddyfile configuration was missing standard HTTP security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), leaving the application susceptible to clickjacking, MIME-type sniffing, and sensitive data leakage via referrers.
**Learning:** The application relies on Caddy as a reverse proxy, and by default, Caddy doesn't automatically add these specific security headers unless explicitly configured.
**Prevention:** Ensure that reverse proxy configurations in new projects or updates to existing ones explicitly include essential HTTP security headers in a global scope to protect all served content.
+25 -19
View File
@@ -1,30 +1,36 @@
{
auto_https off
admin off
auto_https off
admin off
}
:80 {
encode zstd gzip
encode zstd gzip
handle /mcp {
reverse_proxy 127.0.0.1:3001
}
header {
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
}
@app path / /api/*
handle @app {
reverse_proxy 127.0.0.1:3000
}
handle /mcp {
reverse_proxy 127.0.0.1:3001
}
handle {
root * /srv/public
@app path / /api/*
handle @app {
reverse_proxy 127.0.0.1:3000
}
@html path /index.html /d/* /p/*
header @html Cache-Control "no-cache"
handle {
root * /srv/public
@assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$
header @assets Cache-Control "public, max-age=31536000, immutable"
@html path /index.html /d/* /p/*
header @html Cache-Control "no-cache"
try_files {path} /index.html
file_server
}
@assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$
header @assets Cache-Control "public, max-age=31536000, immutable"
try_files {path} /index.html
file_server
}
}
+1 -8
View File
@@ -75,14 +75,7 @@ export function normalizeScene(input: unknown): ScenePayload {
}
export function parseJsonBody<T = unknown>(text: string): T {
// Optimization: TextEncoder.encode creates a new Uint8Array and allocates memory for the entire
// string, which is slow for large JSON payloads. Buffer.byteLength counts bytes without allocation.
const byteLength =
typeof Buffer !== "undefined"
? Buffer.byteLength(text)
: new TextEncoder().encode(text).byteLength;
if (byteLength > MAX_SCENE_BYTES) {
if (new TextEncoder().encode(text).byteLength > MAX_SCENE_BYTES) {
throw new HttpError(413, "Payload too large");
}