security: add nginx headers and fix npm vulnerabilities

- Add security headers to nginx (X-Frame-Options, CSP, etc.) - Reduce client_max_body_size from 500M to 10M - Add npm overrides to fix cookie vulnerability in csurf - Make navbar sticky with full width
2025-11-29 15:04:26 +01:00
parent 61d23681ff
commit 9206565523
3 changed files with 19 additions and 13 deletions
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -3437,15 +3437,6 @@
        "node": ">= 0.8.0"
      }
    },
-    "node_modules/csurf/node_modules/cookie": {
-      "version": "0.4.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
-      "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
    "node_modules/csurf/node_modules/depd": {
      "version": "1.1.2",
      "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz",
@@ -5369,9 +5360,9 @@
      "license": "MIT"
    },
    "node_modules/js-yaml": {
-      "version": "3.14.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
-      "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+      "version": "3.14.2",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+      "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
--- a/backend/package.json
+++ b/backend/package.json
@@ -62,5 +62,10 @@
  },
  "prisma": {
    "seed": "node prisma/seed.js"
+  },
+  "overrides": {
+    "csurf": {
+      "cookie": "^0.7.0"
+    }
  }
 }
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -10,7 +10,17 @@ server {
    listen 80;
    server_name localhost;

-    client_max_body_size 500M;  # Dla dużych plików wideo
+    client_max_body_size 10M;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # Content Security Policy (permissive for dev, tighten for production)
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' ws: wss:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self';" always;

    # Frontend - Vite Dev Server
    location / {