PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden security based on pentest scan findings

Browse Source 
- Add Content-Security-Policy to main nginx server block (was only on /admin/)
- Add Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy headers
- Add includeSubDomains to HSTS header
- Set HttpOnly, Secure, SameSite=Lax session cookie params on public pages
  (AdminAuth already hardens the /admin session with SameSite=Strict)
- Update xamxam.conf.reference and SECURITY_HEADERS.md to match
This commit is contained in:
Pontoporeia
2026-05-11 18:03:14 +02:00
parent 4717b4d67e
commit 04094d802d
7 changed files with 37 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
justfile
View File

@@ -60,9 +60,9 @@ deploy:
--exclude 'storage/docs' \
--exclude 'var/' \
app/ xamxam:/var/www/xamxam/
# Upload deploy-server.sh for post-deploy permission fix
rsync -v scripts/deploy-server.sh xamxam:/tmp/deploy-server.sh
# Deploy nginx config + fix permissions + reload (single server-side run)
rsync -v nginx/xamxam.conf xamxam:/tmp/xamxam.conf
rsync -v scripts/deploy-server.sh xamxam:/tmp/deploy-server.sh
ssh -t xamxam "sudo bash /tmp/deploy-server.sh"
ssh xamxam "rm -f /tmp/deploy-server.sh /tmp/xamxam.conf"
ssh xamxam "mkdir -p /var/www/xamxam/var/{cache,logs,tmp}"
@@ -70,8 +70,6 @@ deploy:
rsync -v scripts/migrate.sh xamxam:/tmp/migrate.sh
ssh xamxam "cd /var/www/xamxam && REPO_ROOT=/var/www/xamxam bash /tmp/migrate.sh"
ssh xamxam "rm -f /tmp/migrate.sh"
# Deploy nginx configuration
@just deploy-nginx
# Sync .env separately (excluded above to avoid accidental overwrite on subsequent deploys)
@just deploy-env
@just deploy-verify-permissions