fix(security): harden security headers across API and Web apps

- API: set X-Frame-Options to DENY via frameguard, add Permissions-Policy header, widen CSP connect-src for Swagger CDN - Web: add HSTS header (1yr, includeSubDomains, preload), add payment=(self) to Permissions-Policy, make localhost:3001 in CSP connect-src dev-only Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-10 20:10:22 +07:00
parent 2a8799ac5b
commit 017d85247e
4 changed files with 228 additions and 3 deletions
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -61,7 +61,7 @@ async function bootstrap() {
          scriptSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
          styleSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
          imgSrc: ["'self'", 'data:', 'https:', 'blob:'],
-          connectSrc: ["'self'"],
+          connectSrc: ["'self'", 'https://cdn.jsdelivr.net'],
          fontSrc: ["'self'", 'data:'],
          objectSrc: ["'none'"],
          frameSrc: ["'none'"],
@@ -72,11 +72,21 @@ async function bootstrap() {
      crossOriginEmbedderPolicy: true,
      crossOriginOpenerPolicy: true,
      crossOriginResourcePolicy: { policy: 'same-origin' },
+      frameguard: { action: 'deny' },
      hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
      referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
    }),
  );

+  // ── Permissions-Policy Header ──
+  app.use((_req: unknown, res: { setHeader: (name: string, value: string) => void }, next: () => void) => {
+    res.setHeader(
+      'Permissions-Policy',
+      'camera=(), microphone=(), geolocation=(self), payment=(self)',
+    );
+    next();
+  });
+
  // ── Cookie Parser (required for CSRF double-submit pattern) ──
  app.use(cookieParser());

--- a/apps/web/next.config.js
+++ b/apps/web/next.config.js
@@ -24,7 +24,11 @@ const nextConfig = {
          { key: 'X-Frame-Options', value: 'DENY' },
          { key: 'X-XSS-Protection', value: '1; mode=block' },
          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
-          { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=(self)' },
+          {
+            key: 'Strict-Transport-Security',
+            value: 'max-age=31536000; includeSubDomains; preload',
+          },
+          { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=(self), payment=(self)' },
          {
            key: 'Content-Security-Policy',
            value: [
@@ -33,7 +37,7 @@ const nextConfig = {
              "style-src 'self' 'unsafe-inline' https://api.mapbox.com",
              "img-src 'self' data: blob: https://*.mapbox.com https://*.tiles.mapbox.com https:",
              "font-src 'self' data:",
-              "connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com http://localhost:3001",
+              `connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com${process.env.NODE_ENV === 'development' ? ' http://localhost:3001' : ''}`,
              "worker-src 'self' blob:",
              "child-src 'self' blob:",
              "frame-ancestors 'none'",