Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 2c88ac7972 | |||
| 0f984d4dea | |||
| 0a1d70b605 | |||
| 40bf063490 |
@@ -1,4 +0,0 @@
|
||||
## 2024-06-06 - Missing HTTP Security Headers
|
||||
**Vulnerability:** The Caddyfile configuration was missing standard HTTP security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), leaving the application susceptible to clickjacking, MIME-type sniffing, and sensitive data leakage via referrers.
|
||||
**Learning:** The application relies on Caddy as a reverse proxy, and by default, Caddy doesn't automatically add these specific security headers unless explicitly configured.
|
||||
**Prevention:** Ensure that reverse proxy configurations in new projects or updates to existing ones explicitly include essential HTTP security headers in a global scope to protect all served content.
|
||||
@@ -1,36 +1,30 @@
|
||||
{
|
||||
auto_https off
|
||||
admin off
|
||||
auto_https off
|
||||
admin off
|
||||
}
|
||||
|
||||
:80 {
|
||||
encode zstd gzip
|
||||
encode zstd gzip
|
||||
|
||||
header {
|
||||
X-Frame-Options "SAMEORIGIN"
|
||||
X-Content-Type-Options "nosniff"
|
||||
Referrer-Policy "strict-origin-when-cross-origin"
|
||||
}
|
||||
handle /mcp {
|
||||
reverse_proxy 127.0.0.1:3001
|
||||
}
|
||||
|
||||
handle /mcp {
|
||||
reverse_proxy 127.0.0.1:3001
|
||||
}
|
||||
@app path / /api/*
|
||||
handle @app {
|
||||
reverse_proxy 127.0.0.1:3000
|
||||
}
|
||||
|
||||
@app path / /api/*
|
||||
handle @app {
|
||||
reverse_proxy 127.0.0.1:3000
|
||||
}
|
||||
handle {
|
||||
root * /srv/public
|
||||
|
||||
handle {
|
||||
root * /srv/public
|
||||
@html path /index.html /d/* /p/*
|
||||
header @html Cache-Control "no-cache"
|
||||
|
||||
@html path /index.html /d/* /p/*
|
||||
header @html Cache-Control "no-cache"
|
||||
@assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$
|
||||
header @assets Cache-Control "public, max-age=31536000, immutable"
|
||||
|
||||
@assets path_regexp assets \.(?:css|js|mjs|svg|png|jpg|jpeg|gif|webp|ico|woff2?|ttf|otf)$
|
||||
header @assets Cache-Control "public, max-age=31536000, immutable"
|
||||
|
||||
try_files {path} /index.html
|
||||
file_server
|
||||
}
|
||||
try_files {path} /index.html
|
||||
file_server
|
||||
}
|
||||
}
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -231,6 +231,8 @@ export function useDrawingSession() {
|
||||
}
|
||||
if (isManual) {
|
||||
showToast("Saved", 2000);
|
||||
} else {
|
||||
showToast(null);
|
||||
}
|
||||
})
|
||||
.catch((saveError: unknown) => {
|
||||
@@ -251,6 +253,8 @@ export function useDrawingSession() {
|
||||
);
|
||||
if (isManual) {
|
||||
showToast("Save failed", 2000);
|
||||
} else {
|
||||
showToast("Autosave failed");
|
||||
}
|
||||
throw saveError;
|
||||
})
|
||||
|
||||
@@ -12,6 +12,7 @@ export function createServer(options: CreateServerOptions = {}) {
|
||||
return {
|
||||
port: Number(process.env.PORT ?? "3000"),
|
||||
hostname: process.env.HOST ?? "localhost",
|
||||
idleTimeout: 120,
|
||||
routes: {
|
||||
"/": (request: Request) => {
|
||||
const drawing = drawingStore.ensureInitialDrawing();
|
||||
|
||||
Reference in New Issue
Block a user