Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 10ee988ce2 |
@@ -0,0 +1,4 @@
|
||||
## 2025-02-28 - Caddy HTTP Security Headers Configuration
|
||||
**Vulnerability:** The application was missing basic security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), increasing exposure to clickjacking and MIME-sniffing attacks.
|
||||
**Learning:** Security posture isn't just about application-level code. The reverse proxy (Caddy) configuration serves as the first line of defense and is the correct layer to enforce global HTTP response headers.
|
||||
**Prevention:** Always verify that the reverse proxy layer enforces foundational HTTP security headers instead of relying solely on the application code to handle response security.
|
||||
@@ -6,6 +6,12 @@
|
||||
:80 {
|
||||
encode zstd gzip
|
||||
|
||||
header {
|
||||
X-Frame-Options "DENY"
|
||||
X-Content-Type-Options "nosniff"
|
||||
Referrer-Policy "strict-origin-when-cross-origin"
|
||||
}
|
||||
|
||||
handle /mcp {
|
||||
reverse_proxy 127.0.0.1:3001
|
||||
}
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -231,8 +231,6 @@ export function useDrawingSession() {
|
||||
}
|
||||
if (isManual) {
|
||||
showToast("Saved", 2000);
|
||||
} else {
|
||||
showToast(null);
|
||||
}
|
||||
})
|
||||
.catch((saveError: unknown) => {
|
||||
@@ -253,8 +251,6 @@ export function useDrawingSession() {
|
||||
);
|
||||
if (isManual) {
|
||||
showToast("Save failed", 2000);
|
||||
} else {
|
||||
showToast("Autosave failed");
|
||||
}
|
||||
throw saveError;
|
||||
})
|
||||
|
||||
@@ -12,7 +12,6 @@ export function createServer(options: CreateServerOptions = {}) {
|
||||
return {
|
||||
port: Number(process.env.PORT ?? "3000"),
|
||||
hostname: process.env.HOST ?? "localhost",
|
||||
idleTimeout: 120,
|
||||
routes: {
|
||||
"/": (request: Request) => {
|
||||
const drawing = drawingStore.ensureInitialDrawing();
|
||||
|
||||
Reference in New Issue
Block a user