bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cb16cf9091fe1f6577df0f1130987c7af939c60c
crewli/deploy/README.md
bert.hausmans 940297f214 security: implement CSP headers (API middleware + Nginx configs + dev meta tags) 
API middleware:
- SecurityHeaders now sets Content-Security-Policy from config/security.php
- Default API policy: "default-src 'none'; frame-ancestors 'none'"
- Supports report-only mode via CSP_REPORT_ONLY env var
- Policy value configurable via CSP_POLICY env var

Nginx deployment configs (deploy/nginx/):
- security-headers.conf: shared headers for all server blocks
- csp-api.conf: restrictive JSON-only policy for api.crewli.app
- csp-spa.conf: SPA policy for app/admin (self + unsafe-inline styles)
- csp-portal.conf: portal policy matching SPA

Development:
- CSP meta tags added to all three index.html files
- Includes 'unsafe-inline' + 'unsafe-eval' for Vite HMR/loader script
- Each app allows its own ws:// port for HMR websocket

Resolves security finding A13-9.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 16:14:37 +02:00

1.6 KiB
Raw Blame History

Crewli Deployment — Security Configuration

Nginx Security Headers

Copy the configuration snippets to your Nginx server:

API (api.crewli.app)

server {
    server_name api.crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-api.conf;

    # ... rest of config
}

Organizer App (app.crewli.app)

server {
    server_name app.crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-spa.conf;

    # ... rest of config
}

Admin (admin.crewli.app)

server {
    server_name admin.crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-spa.conf;

    # ... rest of config
}

Portal (portal.crewli.app)

server {
    server_name portal.crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-portal.conf;

    # ... rest of config
}

CSP Rollout Process

  1. Start with Content-Security-Policy-Report-Only (uncomment in csp-spa.conf)
  2. Monitor browser console for CSP violations for 1-2 weeks
  3. Add any missing sources to the policy
  4. Switch to enforcing Content-Security-Policy
  5. Monitor for false positives after enforcement

DirectAdmin Integration

If using DirectAdmin with Nginx:

  1. Place the .conf files in /usr/local/directadmin/data/users/USERNAME/nginx.conf or use DirectAdmin's custom Nginx configuration feature
  2. Reload Nginx: service nginx reload
  3. Verify headers: curl -I https://app.crewli.app | grep -i security
Reference in New Issue View Git Blame Copy Permalink