Compare commits

..

3 Commits

Author SHA1 Message Date
ruinivist 0f984d4dea fix: tune excalidraw stroke widths 2026-06-20 09:47:25 +00:00
ruinivist 0a1d70b605 fix: extend upload timeout 2026-06-20 09:42:27 +00:00
ruinivist 40bf063490 fix: pan excalidraw with right click 2026-06-20 09:28:19 +00:00
4 changed files with 38 additions and 46 deletions
-5
View File
@@ -1,5 +0,0 @@
## 2025-06-07 - [Added Security Headers via Caddy]
**Vulnerability:** Missing HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy).
**Learning:** The application does not apply security headers in the Bun application server but instead relies on the Caddy reverse proxy to inject them in the `Caddyfile`.
**Prevention:** Always configure security headers at the reverse proxy level (`Caddyfile`) instead of within the backend API routing code to ensure all routes, including static files, are properly protected.
-6
View File
@@ -6,12 +6,6 @@
:80 {
encode zstd gzip
header {
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
}
handle /mcp {
reverse_proxy 127.0.0.1:3001
}
File diff suppressed because one or more lines are too long
+1
View File
@@ -12,6 +12,7 @@ export function createServer(options: CreateServerOptions = {}) {
return {
port: Number(process.env.PORT ?? "3000"),
hostname: process.env.HOST ?? "localhost",
idleTimeout: 120,
routes: {
"/": (request: Request) => {
const drawing = drawingStore.ensureInitialDrawing();