Compare commits

..

4 Commits

Author SHA1 Message Date
ruinivist 2c88ac7972 fix: show autosave failures 2026-06-20 09:59:38 +00:00
ruinivist 0f984d4dea fix: tune excalidraw stroke widths 2026-06-20 09:47:25 +00:00
ruinivist 0a1d70b605 fix: extend upload timeout 2026-06-20 09:42:27 +00:00
ruinivist 40bf063490 fix: pan excalidraw with right click 2026-06-20 09:28:19 +00:00
5 changed files with 61 additions and 64 deletions
-4
View File
@@ -1,4 +0,0 @@
## 2024-06-06 - Missing HTTP Security Headers
**Vulnerability:** The Caddyfile configuration was missing standard HTTP security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), leaving the application susceptible to clickjacking, MIME-type sniffing, and sensitive data leakage via referrers.
**Learning:** The application relies on Caddy as a reverse proxy, and by default, Caddy doesn't automatically add these specific security headers unless explicitly configured.
**Prevention:** Ensure that reverse proxy configurations in new projects or updates to existing ones explicitly include essential HTTP security headers in a global scope to protect all served content.
+19 -25
View File
@@ -1,36 +1,30 @@
{
auto_https off
admin off
auto_https off
admin off
}
:80 {
encode zstd gzip
encode zstd gzip
header {
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
}
handle /mcp {
reverse_proxy 127.0.0.1:3001
}
handle /mcp {
reverse_proxy 127.0.0.1:3001
}
@app path / /api/*
handle @app {
reverse_proxy 127.0.0.1:3000
}
@app path / /api/*
handle @app {
reverse_proxy 127.0.0.1:3000
}
handle {
root * /srv/public
handle {
root * /srv/public
@html path /index.html /d/* /p/*
header @html Cache-Control "no-cache"
@html path /index.html /d/* /p/*
header @html Cache-Control "no-cache"
@assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$
header @assets Cache-Control "public, max-age=31536000, immutable"
@assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$
header @assets Cache-Control "public, max-age=31536000, immutable"
try_files {path} /index.html
file_server
}
try_files {path} /index.html
file_server
}
}
File diff suppressed because one or more lines are too long
+4
View File
@@ -231,6 +231,8 @@ export function useDrawingSession() {
}
if (isManual) {
showToast("Saved", 2000);
} else {
showToast(null);
}
})
.catch((saveError: unknown) => {
@@ -251,6 +253,8 @@ export function useDrawingSession() {
);
if (isManual) {
showToast("Save failed", 2000);
} else {
showToast("Autosave failed");
}
throw saveError;
})
+1
View File
@@ -12,6 +12,7 @@ export function createServer(options: CreateServerOptions = {}) {
return {
port: Number(process.env.PORT ?? "3000"),
hostname: process.env.HOST ?? "localhost",
idleTimeout: 120,
routes: {
"/": (request: Request) => {
const drawing = drawingStore.ensureInitialDrawing();