bert.hausmans
940297f214
API middleware: - SecurityHeaders now sets Content-Security-Policy from config/security.php - Default API policy: "default-src 'none'; frame-ancestors 'none'" - Supports report-only mode via CSP_REPORT_ONLY env var - Policy value configurable via CSP_POLICY env var Nginx deployment configs (deploy/nginx/): - security-headers.conf: shared headers for all server blocks - csp-api.conf: restrictive JSON-only policy for api.crewli.app - csp-spa.conf: SPA policy for app/admin (self + unsafe-inline styles) - csp-portal.conf: portal policy matching SPA Development: - CSP meta tags added to all three index.html files - Includes 'unsafe-inline' + 'unsafe-eval' for Vite HMR/loader script - Each app allows its own ws:// port for HMR websocket Resolves security finding A13-9. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Admin Dashboard
This folder will contain the Admin SPA using Vuexy Vue.
Setup
- Copy Vuexy Vue full-version (TypeScript) here:
cp -r /path/to/vuexy/typescript-version/full-version/* .
- Install dependencies:
pnpm install
- Create
.env.local:
VITE_API_URL=http://localhost:8000/api/v1
VITE_APP_NAME="Crewli Admin"
- Start development:
pnpm dev
Port
Runs on http://localhost:5173 (Vite default).
Production: point VITE_API_URL at your API, e.g. https://api.crewli.app/api/v1, with DNS/TLS for admin.crewli.app (and matching Laravel FRONTEND_ADMIN_URL / CORS / Sanctum settings — see repo README.md and api/.env.example).