From 0466ef9e5c3ada1cfc405bf50f100a60737a13cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Gierwia=C5=82o?= <github@radziel.com>
Date: Tue, 2 Dec 2025 19:55:08 +0100
Subject: [PATCH] security(nginx): block access to sensitive files and
 directories

Added comprehensive security rules to all nginx configurations:

Dev proxy (nginx/conf.d/default.conf):
- Block dotfiles and .git directory
- Block .env* files and config files
- Block node_modules, docker configs, package files
- Block backup files (.bak, .swp, ~)

Prod proxy (nginx/conf.d.prod/default.conf):
- All dev security rules
- Added security headers (X-Frame-Options, CSP, etc.)
- Strict CSP with frame-ancestors 'none'

Frontend container (frontend/nginx.conf):
- Block dotfiles and sensitive config files
- Block node_modules and build configs
- Added security headers

All blocked paths return 404 and disable logging to avoid log spam.

Blocks: .env*, .git, node_modules, docker*, package*.json,
prisma, backup*, *.bak, *.swp, tsconfig.json, and more.
---
 frontend/nginx.conf            | 22 +++++++++++++++++++
 nginx/conf.d.prod/default.conf | 39 ++++++++++++++++++++++++++++++++++
 nginx/conf.d/default.conf      | 29 +++++++++++++++++++++++++
 3 files changed, 90 insertions(+)

diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index 84db185..9be4abb 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -10,6 +10,28 @@ server {
     gzip_min_length 1024;
     gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml+rss image/svg+xml;
 
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # Block access to sensitive files and directories
+    location ~ /\. {
+        deny all;
+        return 404;
+    }
+
+    location ~ \.(env|git|gitignore|dockerignore)$ {
+        deny all;
+        return 404;
+    }
+
+    location ~ ^/(node_modules|\.git|\.vscode|package\.json|package-lock\.json|vite\.config|tsconfig\.json)/? {
+        deny all;
+        return 404;
+    }
+
     # SPA fallback - serve index.html for all non-file routes
     location / {
         try_files $uri $uri/ /index.html;
diff --git a/nginx/conf.d.prod/default.conf b/nginx/conf.d.prod/default.conf
index d3a56f0..01f84c9 100644
--- a/nginx/conf.d.prod/default.conf
+++ b/nginx/conf.d.prod/default.conf
@@ -12,6 +12,45 @@ server {
 
     client_max_body_size 500M;
 
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # Strict Content Security Policy for production
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none';" always;
+
+    # Block access to sensitive files and directories
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    location ~ \.(env|git|gitignore|dockerignore|htaccess|htpasswd)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    location ~ ^/(node_modules|\.git|\.vscode|\.idea|docker-compose|Dockerfile|package\.json|package-lock\.json|yarn\.lock|pnpm-lock\.yaml|\.npmrc|\.yarnrc|tsconfig\.json|\.eslintrc|\.prettierrc|prisma|\.env.*|\.db|\.sqlite|\.sql|backup|backups|dumps|logs)/? {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    location ~ \.(bak|backup|swp|tmp|old|orig|save|~)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
     # Frontend - Static files served by nginx
     location / {
         proxy_pass http://frontend;
diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf
index 037b962..85ca865 100644
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -22,6 +22,35 @@ server {
     # Content Security Policy (permissive for dev, tighten for production)
     add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' ws: wss:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self';" always;
 
+    # Block access to sensitive files and directories
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    location ~ \.(env|git|gitignore|dockerignore|htaccess|htpasswd)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    location ~ ^/(node_modules|\.git|\.vscode|\.idea|docker-compose|Dockerfile|package\.json|package-lock\.json|yarn\.lock|pnpm-lock\.yaml|\.npmrc|\.yarnrc|tsconfig\.json|\.eslintrc|\.prettierrc|prisma|\.env.*|\.db|\.sqlite|\.sql|backup|backups|dumps|logs)/? {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    location ~ \.(bak|backup|swp|tmp|old|orig|save|~)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
     # Frontend - Vite Dev Server
     location / {
         proxy_pass http://frontend;