admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): harden security headers across API and Web apps

Browse Source 
- API: set X-Frame-Options to DENY via frameguard, add Permissions-Policy header, widen CSP connect-src for Swagger CDN
- Web: add HSTS header (1yr, includeSubDomains, preload), add payment=(self) to Permissions-Policy, make localhost:3001 in CSP connect-src dev-only

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Ho Ngoc Hai
2026-04-10 20:10:22 +07:00
parent 2a8799ac5b
commit 017d85247e
4 changed files with 228 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
.github/workflows/ci.yml vendored
View File

@@ -66,3 +66,140 @@ jobs:
- name: Build
run: pnpm build
e2e:
name: E2E Tests
needs: ci
runs-on: ubuntu-latest
timeout-minutes: 20
services:
postgres:
image: postgis/postgis:16-3.4
env:
POSTGRES_DB: goodgo_test
POSTGRES_USER: goodgo
POSTGRES_PASSWORD: goodgo_test_secret
ports:
- 5432:5432
options: >-
--health-cmd "pg_isready -U goodgo -d goodgo_test"
--health-interval 10s
--health-timeout 5s
--health-retries 5
--health-start-period 30s
redis:
image: redis:7-alpine
ports:
- 6379:6379
options: >-
--health-cmd "redis-cli ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
typesense:
image: typesense/typesense:27.1
ports:
- 8108:8108
env:
TYPESENSE_API_KEY: ts_ci_key
TYPESENSE_DATA_DIR: /data
options: >-
--health-cmd "curl -sf http://localhost:8108/health || exit 1"
--health-interval 10s
--health-timeout 5s
--health-retries 5
minio:
image: minio/minio:latest
ports:
- 9000:9000
env:
MINIO_ROOT_USER: ci_minio_user
MINIO_ROOT_PASSWORD: ci_minio_secret_key_32chars!!
options: >-
--health-cmd "curl -sf http://localhost:9000/minio/health/live || exit 1"
--health-interval 10s
--health-timeout 5s
--health-retries 5
env:
DATABASE_URL: postgresql://goodgo:goodgo_test_secret@localhost:5432/goodgo_test
REDIS_URL: redis://localhost:6379
TYPESENSE_URL: http://localhost:8108
TYPESENSE_HOST: localhost
TYPESENSE_PORT: 8108
TYPESENSE_API_KEY: ts_ci_key
MINIO_ENDPOINT: localhost
MINIO_PORT: 9000
MINIO_ACCESS_KEY: ci_minio_user
MINIO_SECRET_KEY: ci_minio_secret_key_32chars!!
MINIO_BUCKET: goodgo-uploads
NODE_ENV: test
JWT_SECRET: e2e-test-jwt-secret-key
JWT_REFRESH_SECRET: e2e-test-refresh-secret-key
VNPAY_TMN_CODE: TESTCODE
VNPAY_HASH_SECRET: TESTHASHSECRET
VNPAY_URL: https://sandbox.vnpayment.vn/paymentv2/vpcpay.html
VNPAY_RETURN_URL: http://localhost:3000/payment/return
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install pnpm
uses: pnpm/action-setup@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 22
cache: pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Cache Playwright browsers
id: playwright-cache
uses: actions/cache@v4
with:
path: ~/.cache/ms-playwright
key: playwright-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
- name: Install Playwright browsers
if: steps.playwright-cache.outputs.cache-hit != 'true'
run: npx playwright install --with-deps chromium
- name: Install Playwright system deps
if: steps.playwright-cache.outputs.cache-hit == 'true'
run: npx playwright install-deps chromium
- name: Generate Prisma client
run: pnpm db:generate
- name: Run database migrations
run: pnpm db:migrate:deploy
- name: Seed database
run: pnpm db:seed
- name: Run E2E tests
run: pnpm test:e2e
- name: Upload Playwright report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: playwright-report
path: playwright-report/
retention-days: 14
- name: Upload Playwright traces
if: failure()
uses: actions/upload-artifact@v4
with:
name: playwright-traces
path: test-results/
retention-days: 7