M4: security pass — strict CSP, header split, build-time scan
All JS moved to external /site.js → script-src 'self' with no inline JS, hashes or eval. Full header set via nginx (CSP, nosniff, frame-deny, referrer, permissions, COOP/CORP); HSTS stays at the CF edge. Shared headers include avoids the location add_header reset footgun. Build-time secret/inline-script/third-party scan gate. SECURITY.md documents posture.
This commit is contained in:
+2
-1
@@ -18,8 +18,9 @@ RUN npm run build
|
||||
# Same vetted digest used by the k8s Deployment. Renovate keeps it current.
|
||||
FROM ghcr.io/nginx/nginx-unprivileged:1.28.0-alpine@sha256:c97ff0bf7cbae369953c6da1232ec14ad9f971d66360c5698db0856a4cd657a0
|
||||
|
||||
# Custom server config (security headers, caching, SPA-ish routing).
|
||||
# Custom server config (security headers, caching, routing) + shared headers include.
|
||||
COPY nginx/default.conf /etc/nginx/conf.d/default.conf
|
||||
COPY nginx/security-headers.conf /etc/nginx/security-headers.conf
|
||||
|
||||
# The built site.
|
||||
COPY --from=build /app/dist /usr/share/nginx/html
|
||||
|
||||
Reference in New Issue
Block a user