fix(security): harden security headers across API and Web apps

- API: set X-Frame-Options to DENY via frameguard, add Permissions-Policy header, widen CSP connect-src for Swagger CDN - Web: add HSTS header (1yr, includeSubDomains, preload), add payment=(self) to Permissions-Policy, make localhost:3001 in CSP connect-src dev-only Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-10 20:10:22 +07:00
parent 2a8799ac5b
commit 017d85247e
4 changed files with 228 additions and 3 deletions
--- a/docker-compose.ci.yml
+++ b/docker-compose.ci.yml
@@ -0,0 +1,74 @@
+# Docker Compose for CI / local E2E testing.
+# Provides the minimum set of services required to run the full E2E suite.
+#
+# Usage (local):
+#   docker compose -f docker-compose.ci.yml up -d --wait
+#   pnpm db:generate && pnpm db:migrate:deploy && pnpm db:seed
+#   pnpm test:e2e
+#   docker compose -f docker-compose.ci.yml down -v
+
+services:
+  postgres:
+    image: postgis/postgis:16-3.4
+    container_name: goodgo-ci-postgres
+    ports:
+      - '${DB_PORT:-5432}:5432'
+    environment:
+      POSTGRES_DB: goodgo_test
+      POSTGRES_USER: goodgo
+      POSTGRES_PASSWORD: goodgo_test_secret
+    tmpfs:
+      - /var/lib/postgresql/data
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U goodgo -d goodgo_test']
+      interval: 5s
+      timeout: 3s
+      retries: 10
+      start_period: 10s
+
+  redis:
+    image: redis:7-alpine
+    container_name: goodgo-ci-redis
+    ports:
+      - '${REDIS_PORT:-6379}:6379'
+    command: redis-server --save "" --appendonly no
+    healthcheck:
+      test: ['CMD', 'redis-cli', 'ping']
+      interval: 5s
+      timeout: 3s
+      retries: 10
+
+  typesense:
+    image: typesense/typesense:27.1
+    container_name: goodgo-ci-typesense
+    ports:
+      - '${TYPESENSE_PORT:-8108}:8108'
+    environment:
+      TYPESENSE_API_KEY: ts_ci_key
+      TYPESENSE_DATA_DIR: /data
+    tmpfs:
+      - /data
+    healthcheck:
+      test: ['CMD', 'curl', '-sf', 'http://localhost:8108/health']
+      interval: 5s
+      timeout: 3s
+      retries: 10
+      start_period: 10s
+
+  minio:
+    image: minio/minio:latest
+    container_name: goodgo-ci-minio
+    ports:
+      - '${MINIO_PORT:-9000}:9000'
+    command: server /data
+    environment:
+      MINIO_ROOT_USER: ci_minio_user
+      MINIO_ROOT_PASSWORD: ci_minio_secret_key_32chars!!
+    tmpfs:
+      - /data
+    healthcheck:
+      test: ['CMD', 'curl', '-sf', 'http://localhost:9000/minio/health/live']
+      interval: 5s
+      timeout: 3s
+      retries: 10
+      start_period: 5s