From 9392bf9735ed23d45d9ee1812b5830c911848cc5 Mon Sep 17 00:00:00 2001 From: Corey Blais Date: Mon, 20 Apr 2026 10:02:50 -0400 Subject: [PATCH] added security enhancements --- backend/src/app.ts | 1 + docker-compose.prod.yml | 6 ++++++ frontend/nginx.conf | 7 +++++++ frontend/public/robots.txt | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 frontend/public/robots.txt diff --git a/backend/src/app.ts b/backend/src/app.ts index 73fc03f..5d0fd04 100644 --- a/backend/src/app.ts +++ b/backend/src/app.ts @@ -520,6 +520,7 @@ const oauthProviders = { }, }; +app.disable('x-powered-by'); app.use(helmet({ crossOriginResourcePolicy: false })); app.use( cors({ diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 13ec062..d746d2b 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -70,6 +70,7 @@ services: - traefik.http.routers.flockpal-api.entrypoints=websecure - traefik.http.routers.flockpal-api.tls.certresolver=${TRAEFIK_CERTRESOLVER:-letsencrypt} - traefik.http.routers.flockpal-api.priority=100 + - traefik.http.routers.flockpal-api.middlewares=flockpal-hsts@docker - traefik.http.services.flockpal-api.loadbalancer.server.port=5000 networks: - default @@ -92,6 +93,11 @@ services: - traefik.http.routers.flockpal-web.entrypoints=websecure - traefik.http.routers.flockpal-web.tls.certresolver=${TRAEFIK_CERTRESOLVER:-letsencrypt} - traefik.http.routers.flockpal-web.priority=10 + - traefik.http.routers.flockpal-web.middlewares=flockpal-hsts@docker + - traefik.http.middlewares.flockpal-hsts.headers.stsSeconds=31536000 + - traefik.http.middlewares.flockpal-hsts.headers.stsIncludeSubdomains=true + - traefik.http.middlewares.flockpal-hsts.headers.stsPreload=false + - traefik.http.middlewares.flockpal-hsts.headers.forceSTSHeader=true - traefik.http.services.flockpal-web.loadbalancer.server.port=80 networks: - traefik diff --git a/frontend/nginx.conf b/frontend/nginx.conf index 79fd959..07acaad 100644 --- a/frontend/nginx.conf +++ b/frontend/nginx.conf @@ -1,10 +1,17 @@ server { listen 80; server_name _; + server_tokens off; root /usr/share/nginx/html; index index.html; + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; + location / { try_files $uri $uri/ /index.html; } diff --git a/frontend/public/robots.txt b/frontend/public/robots.txt new file mode 100644 index 0000000..104acd1 --- /dev/null +++ b/frontend/public/robots.txt @@ -0,0 +1,33 @@ +# FlockPal robots.txt +# Allows normal search indexing while reserving rights against AI training and AI answer ingestion. + +User-agent: * +Content-Signal: search=yes,ai-input=no,ai-train=no +Allow: / + +User-agent: Amazonbot +Disallow: / + +User-agent: Applebot-Extended +Disallow: / + +User-agent: Bytespider +Disallow: / + +User-agent: CCBot +Disallow: / + +User-agent: ClaudeBot +Disallow: / + +User-agent: CloudflareBrowserRenderingCrawler +Disallow: / + +User-agent: Google-Extended +Disallow: / + +User-agent: GPTBot +Disallow: / + +User-agent: meta-externalagent +Disallow: /