Crewli Deployment — Security Configuration
Nginx Security Headers
Copy the configuration snippets to your Nginx server:
API (api.crewli.app)
server {
server_name api.crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-api.conf;
# ... rest of config
}
Organizer App (crewli.app)
server {
server_name crewli.app;
include /path/to/deploy/nginx/security-headers.conf;
include /path/to/deploy/nginx/csp-spa.conf;
# ... rest of config
}
Legacy portal redirect (portal.crewli.app)
Pre-WS-3 (April 2026), Crewli ran a separate portal SPA at
portal.crewli.app. The dual-SPA was consolidated into a single
workspace; the legacy host should redirect 301 → crewli.app:
server {
server_name portal.crewli.app;
listen 443 ssl;
# ... TLS config from DirectAdmin / Let's Encrypt ...
return 301 https://crewli.app$request_uri;
}
DNS retirement of portal.crewli.app is a separate operational task
tracked outside this repo. Until DNS is repointed, this redirect
handles any stale links.
CSP Rollout Process
- Start with
Content-Security-Policy-Report-Only(uncomment incsp-spa.conf) - Monitor browser console for CSP violations for 1-2 weeks
- Add any missing sources to the policy
- Switch to enforcing
Content-Security-Policy - Monitor for false positives after enforcement
DirectAdmin Integration
If using DirectAdmin with Nginx:
- Place the
.conffiles in/usr/local/directadmin/data/users/USERNAME/nginx.confor use DirectAdmin's custom Nginx configuration feature - Reload Nginx:
service nginx reload - Verify headers:
curl -I https://crewli.app | grep -i security