admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): harden security headers across API and Web apps

Browse Source 
- API: set X-Frame-Options to DENY via frameguard, add Permissions-Policy header, widen CSP connect-src for Swagger CDN
- Web: add HSTS header (1yr, includeSubDomains, preload), add payment=(self) to Permissions-Policy, make localhost:3001 in CSP connect-src dev-only

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Ho Ngoc Hai
2026-04-10 20:10:22 +07:00
parent 2a8799ac5b
commit 017d85247e
4 changed files with 228 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
.github/workflows/ci.yml vendored
View File

@@ -66,3 +66,140 @@ jobs:
- name: Build
run: pnpm build
e2e:
name: E2E Tests
needs: ci
runs-on: ubuntu-latest
timeout-minutes: 20
services:
postgres:
image: postgis/postgis:16-3.4
env:
POSTGRES_DB: goodgo_test
POSTGRES_USER: goodgo
POSTGRES_PASSWORD: goodgo_test_secret
ports:
- 5432:5432
options: >-
--health-cmd "pg_isready -U goodgo -d goodgo_test"
--health-interval 10s
--health-timeout 5s
--health-retries 5
--health-start-period 30s
redis:
image: redis:7-alpine
ports:
- 6379:6379
options: >-
--health-cmd "redis-cli ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
typesense:
image: typesense/typesense:27.1
ports:
- 8108:8108
env:
TYPESENSE_API_KEY: ts_ci_key
TYPESENSE_DATA_DIR: /data
options: >-
--health-cmd "curl -sf http://localhost:8108/health || exit 1"
--health-interval 10s
--health-timeout 5s
--health-retries 5
minio:
image: minio/minio:latest
ports:
- 9000:9000
env:
MINIO_ROOT_USER: ci_minio_user
MINIO_ROOT_PASSWORD: ci_minio_secret_key_32chars!!
options: >-
--health-cmd "curl -sf http://localhost:9000/minio/health/live || exit 1"
--health-interval 10s
--health-timeout 5s
--health-retries 5
env:
DATABASE_URL: postgresql://goodgo:goodgo_test_secret@localhost:5432/goodgo_test
REDIS_URL: redis://localhost:6379
TYPESENSE_URL: http://localhost:8108
TYPESENSE_HOST: localhost
TYPESENSE_PORT: 8108
TYPESENSE_API_KEY: ts_ci_key
MINIO_ENDPOINT: localhost
MINIO_PORT: 9000
MINIO_ACCESS_KEY: ci_minio_user
MINIO_SECRET_KEY: ci_minio_secret_key_32chars!!
MINIO_BUCKET: goodgo-uploads
NODE_ENV: test
JWT_SECRET: e2e-test-jwt-secret-key
JWT_REFRESH_SECRET: e2e-test-refresh-secret-key
VNPAY_TMN_CODE: TESTCODE
VNPAY_HASH_SECRET: TESTHASHSECRET
VNPAY_URL: https://sandbox.vnpayment.vn/paymentv2/vpcpay.html
VNPAY_RETURN_URL: http://localhost:3000/payment/return
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install pnpm
uses: pnpm/action-setup@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 22
cache: pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Cache Playwright browsers
id: playwright-cache
uses: actions/cache@v4
with:
path: ~/.cache/ms-playwright
key: playwright-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
- name: Install Playwright browsers
if: steps.playwright-cache.outputs.cache-hit != 'true'
run: npx playwright install --with-deps chromium
- name: Install Playwright system deps
if: steps.playwright-cache.outputs.cache-hit == 'true'
run: npx playwright install-deps chromium
- name: Generate Prisma client
run: pnpm db:generate
- name: Run database migrations
run: pnpm db:migrate:deploy
- name: Seed database
run: pnpm db:seed
- name: Run E2E tests
run: pnpm test:e2e
- name: Upload Playwright report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: playwright-report
path: playwright-report/
retention-days: 14
- name: Upload Playwright traces
if: failure()
uses: actions/upload-artifact@v4
with:
name: playwright-traces
path: test-results/
retention-days: 7

12
apps/api/src/main.ts
View File

@@ -61,7 +61,7 @@ async function bootstrap() {
scriptSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
styleSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
imgSrc: ["'self'", 'data:', 'https:', 'blob:'],
connectSrc: ["'self'"],
connectSrc: ["'self'", 'https://cdn.jsdelivr.net'],
fontSrc: ["'self'", 'data:'],
objectSrc: ["'none'"],
frameSrc: ["'none'"],
@@ -72,11 +72,21 @@ async function bootstrap() {
crossOriginEmbedderPolicy: true,
crossOriginOpenerPolicy: true,
crossOriginResourcePolicy: { policy: 'same-origin' },
frameguard: { action: 'deny' },
hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
}),
);
// ── Permissions-Policy Header ──
app.use((_req: unknown, res: { setHeader: (name: string, value: string) => void }, next: () => void) => {
res.setHeader(
'Permissions-Policy',
'camera=(), microphone=(), geolocation=(self), payment=(self)',
);
next();
});
// ── Cookie Parser (required for CSRF double-submit pattern) ──
app.use(cookieParser());

8
apps/web/next.config.js
View File

@@ -24,7 +24,11 @@ const nextConfig = {
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-XSS-Protection', value: '1; mode=block' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=(self)' },
{
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains; preload',
},
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=(self), payment=(self)' },
{
key: 'Content-Security-Policy',
value: [
@@ -33,7 +37,7 @@ const nextConfig = {
"style-src 'self' 'unsafe-inline' https://api.mapbox.com",
"img-src 'self' data: blob: https://*.mapbox.com https://*.tiles.mapbox.com https:",
"font-src 'self' data:",
"connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com http://localhost:3001",
`connect-src 'self' https://*.mapbox.com https://api.mapbox.com https://events.mapbox.com${process.env.NODE_ENV === 'development' ? ' http://localhost:3001' : ''}`,
"worker-src 'self' blob:",
"child-src 'self' blob:",
"frame-ancestors 'none'",

74
docker-compose.ci.yml Normal file
View File

@@ -0,0 +1,74 @@
# Docker Compose for CI / local E2E testing.
# Provides the minimum set of services required to run the full E2E suite.
#
# Usage (local):
# docker compose -f docker-compose.ci.yml up -d --wait
# pnpm db:generate && pnpm db:migrate:deploy && pnpm db:seed
# pnpm test:e2e
# docker compose -f docker-compose.ci.yml down -v
services:
postgres:
image: postgis/postgis:16-3.4
container_name: goodgo-ci-postgres
ports:
- '${DB_PORT:-5432}:5432'
environment:
POSTGRES_DB: goodgo_test
POSTGRES_USER: goodgo
POSTGRES_PASSWORD: goodgo_test_secret
tmpfs:
- /var/lib/postgresql/data
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U goodgo -d goodgo_test']
interval: 5s
timeout: 3s
retries: 10
start_period: 10s
redis:
image: redis:7-alpine
container_name: goodgo-ci-redis
ports:
- '${REDIS_PORT:-6379}:6379'
command: redis-server --save "" --appendonly no
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
interval: 5s
timeout: 3s
retries: 10
typesense:
image: typesense/typesense:27.1
container_name: goodgo-ci-typesense
ports:
- '${TYPESENSE_PORT:-8108}:8108'
environment:
TYPESENSE_API_KEY: ts_ci_key
TYPESENSE_DATA_DIR: /data
tmpfs:
- /data
healthcheck:
test: ['CMD', 'curl', '-sf', 'http://localhost:8108/health']
interval: 5s
timeout: 3s
retries: 10
start_period: 10s
minio:
image: minio/minio:latest
container_name: goodgo-ci-minio
ports:
- '${MINIO_PORT:-9000}:9000'
command: server /data
environment:
MINIO_ROOT_USER: ci_minio_user
MINIO_ROOT_PASSWORD: ci_minio_secret_key_32chars!!
tmpfs:
- /data
healthcheck:
test: ['CMD', 'curl', '-sf', 'http://localhost:9000/minio/health/live']
interval: 5s
timeout: 3s
retries: 10
start_period: 5s