From 92065655232cd3c942fac4c10d803413bb70a630 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Gierwia=C5=82o?= <github@radziel.com>
Date: Sat, 29 Nov 2025 15:04:26 +0100
Subject: [PATCH] security: add nginx headers and fix npm vulnerabilities

- Add security headers to nginx (X-Frame-Options, CSP, etc.)
- Reduce client_max_body_size from 500M to 10M
- Add npm overrides to fix cookie vulnerability in csurf
- Make navbar sticky with full width
---
 backend/package-lock.json | 15 +++------------
 backend/package.json      |  5 +++++
 nginx/conf.d/default.conf | 12 +++++++++++-
 3 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/backend/package-lock.json b/backend/package-lock.json
index cc918ed..e384e2d 100644
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -3437,15 +3437,6 @@
         "node": ">= 0.8.0"
       }
     },
-    "node_modules/csurf/node_modules/cookie": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
-      "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/csurf/node_modules/depd": {
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
@@ -5369,9 +5360,9 @@
       "license": "MIT"
     },
     "node_modules/js-yaml": {
-      "version": "3.14.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
-      "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+      "version": "3.14.2",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+      "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/backend/package.json b/backend/package.json
index 5c30de7..61c2e9d 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -62,5 +62,10 @@
   },
   "prisma": {
     "seed": "node prisma/seed.js"
+  },
+  "overrides": {
+    "csurf": {
+      "cookie": "^0.7.0"
+    }
   }
 }
diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf
index 465ecdf..037b962 100644
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -10,7 +10,17 @@ server {
     listen 80;
     server_name localhost;
 
-    client_max_body_size 500M;  # Dla dużych plików wideo
+    client_max_body_size 10M;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # Content Security Policy (permissive for dev, tighten for production)
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' ws: wss:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self';" always;
 
     # Frontend - Vite Dev Server
     location / {