diff --git a/server/index.js b/server/index.js index fc89bbe..0b649b1 100644 --- a/server/index.js +++ b/server/index.js @@ -61,13 +61,14 @@ const apiLimiter = rateLimit({ }) // --- Security Headers (Helmet) --- +const isDev = process.env.NODE_ENV === 'development' const cspDirectives = { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", 'https://fonts.googleapis.com'], fontSrc: ["'self'", 'https://fonts.gstatic.com'], imgSrc: ["'self'", 'data:'], - connectSrc: ["'self'"], + connectSrc: isDev ? ["'self'", 'ws://localhost:*'] : ["'self'"], objectSrc: ["'none'"], baseUri: ["'self'"], formAction: ["'self'"], @@ -95,7 +96,7 @@ app.use(helmet({ log.info('[Security] Helmet enabled with CSP configured') // --- CORS Configuration --- -const corsOrigin = process.env.CORS_ORIGIN || '*' // Default to * for development +const corsOrigin = process.env.CORS_ORIGIN || 'https://queuenorth.com' // Default to production domain const corsConfig = cors({ origin: corsOrigin === '*' ? corsOrigin : (corsOrigin === 'null' ? undefined : corsOrigin), methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'], diff --git a/vite.config.js b/vite.config.js index 54659b6..73fc649 100644 --- a/vite.config.js +++ b/vite.config.js @@ -20,6 +20,6 @@ export default defineConfig({ }, build: { outDir: 'dist', - sourcemap: true, + sourcemap: process.env.NODE_ENV !== 'production', }, })