crewli/deploy/README.md

# Crewli Deployment — Security Configuration

## Nginx Security Headers

Copy the configuration snippets to your Nginx server:

### API (api.crewli.app)
```nginx
server {
    server_name api.crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-api.conf;

    # ... rest of config
}
```

### Organizer App (app.crewli.app)
```nginx
server {
    server_name app.crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-spa.conf;

    # ... rest of config
}
```

### Admin (admin.crewli.app)
```nginx
server {
    server_name admin.crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-spa.conf;

    # ... rest of config
}
```

### Portal (portal.crewli.app)
```nginx
server {
    server_name portal.crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-portal.conf;

    # ... rest of config
}
```

## CSP Rollout Process

1. Start with `Content-Security-Policy-Report-Only` (uncomment in `csp-spa.conf`)
2. Monitor browser console for CSP violations for 1-2 weeks
3. Add any missing sources to the policy
4. Switch to enforcing `Content-Security-Policy`
5. Monitor for false positives after enforcement

## DirectAdmin Integration

If using DirectAdmin with Nginx:
1. Place the `.conf` files in `/usr/local/directadmin/data/users/USERNAME/nginx.conf`
   or use DirectAdmin's custom Nginx configuration feature
2. Reload Nginx: `service nginx reload`
3. Verify headers: `curl -I https://app.crewli.app | grep -i security`