bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: implement CSP headers (API middleware + Nginx configs + dev meta tags)

Browse Source 
API middleware:
- SecurityHeaders now sets Content-Security-Policy from config/security.php
- Default API policy: "default-src 'none'; frame-ancestors 'none'"
- Supports report-only mode via CSP_REPORT_ONLY env var
- Policy value configurable via CSP_POLICY env var

Nginx deployment configs (deploy/nginx/):
- security-headers.conf: shared headers for all server blocks
- csp-api.conf: restrictive JSON-only policy for api.crewli.app
- csp-spa.conf: SPA policy for app/admin (self + unsafe-inline styles)
- csp-portal.conf: portal policy matching SPA

Development:
- CSP meta tags added to all three index.html files
- Includes 'unsafe-inline' + 'unsafe-eval' for Vite HMR/loader script
- Each app allows its own ws:// port for HMR websocket

Resolves security finding A13-9.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 16:14:37 +02:00
parent 513ca519b2
commit 940297f214
12 changed files with 918 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
api/config/security.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
declare(strict_types=1);
return [
/*
|--------------------------------------------------------------------------
| Content Security Policy
|--------------------------------------------------------------------------
|
| CSP header value. Set to null to disable. Use report-only mode first
| to identify violations before enforcing.
|
| For the API: restrictive policy (no scripts, no styles needed).
| For SPAs: CSP is configured at the web server (Nginx) level because
| Vite-generated script hashes change per build.
|
*/
'csp' => env('CSP_POLICY', "default-src 'none'; frame-ancestors 'none'"),
/*
|--------------------------------------------------------------------------
| CSP Report Only
|--------------------------------------------------------------------------
|
| When true, sends Content-Security-Policy-Report-Only instead of
| Content-Security-Policy. Violations are logged but not blocked.
| Use this for initial rollout to catch false positives.
|
*/
'csp_report_only' => env('CSP_REPORT_ONLY', false),
];