bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: implement CSP headers (API middleware + Nginx configs + dev meta tags)

Browse Source 
API middleware:
- SecurityHeaders now sets Content-Security-Policy from config/security.php
- Default API policy: "default-src 'none'; frame-ancestors 'none'"
- Supports report-only mode via CSP_REPORT_ONLY env var
- Policy value configurable via CSP_POLICY env var

Nginx deployment configs (deploy/nginx/):
- security-headers.conf: shared headers for all server blocks
- csp-api.conf: restrictive JSON-only policy for api.crewli.app
- csp-spa.conf: SPA policy for app/admin (self + unsafe-inline styles)
- csp-portal.conf: portal policy matching SPA

Development:
- CSP meta tags added to all three index.html files
- Includes 'unsafe-inline' + 'unsafe-eval' for Vite HMR/loader script
- Each app allows its own ws:// port for HMR websocket

Resolves security finding A13-9.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 16:14:37 +02:00
parent 513ca519b2
commit 940297f214
12 changed files with 918 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
deploy/README.md Normal file
View File

@@ -0,0 +1,69 @@
# Crewli Deployment — Security Configuration
## Nginx Security Headers
Copy the configuration snippets to your Nginx server:
### API (api.crewli.app)
```nginx
server {
server_name api.crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-api.conf;
# ... rest of config
}
```
### Organizer App (app.crewli.app)
```nginx
server {
server_name app.crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-spa.conf;
# ... rest of config
}
```
### Admin (admin.crewli.app)
```nginx
server {
server_name admin.crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-spa.conf;
# ... rest of config
}
```
### Portal (portal.crewli.app)
```nginx
server {
server_name portal.crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-portal.conf;
# ... rest of config
}
```
## CSP Rollout Process
1. Start with `Content-Security-Policy-Report-Only` (uncomment in `csp-spa.conf`)
2. Monitor browser console for CSP violations for 1-2 weeks
3. Add any missing sources to the policy
4. Switch to enforcing `Content-Security-Policy`
5. Monitor for false positives after enforcement
## DirectAdmin Integration
If using DirectAdmin with Nginx:
1. Place the `.conf` files in `/usr/local/directadmin/data/users/USERNAME/nginx.conf`
or use DirectAdmin's custom Nginx configuration feature
2. Reload Nginx: `service nginx reload`
3. Verify headers: `curl -I https://app.crewli.app | grep -i security`