From f8d380ebab0bfdd319a4615d98a43f0eae1cf364 Mon Sep 17 00:00:00 2001 From: null Date: Sun, 17 May 2026 21:53:39 -0500 Subject: [PATCH] fix: disable prod sourcemaps, secure CORS default, allow HMR websocket (#122 #124 #131) (batch 9.6) --- server/index.js | 5 +++-- vite.config.js | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/server/index.js b/server/index.js index fc89bbe..0b649b1 100644 --- a/server/index.js +++ b/server/index.js @@ -61,13 +61,14 @@ const apiLimiter = rateLimit({ }) // --- Security Headers (Helmet) --- +const isDev = process.env.NODE_ENV === 'development' const cspDirectives = { defaultSrc: ["'self'"], scriptSrc: ["'self'"], styleSrc: ["'self'", 'https://fonts.googleapis.com'], fontSrc: ["'self'", 'https://fonts.gstatic.com'], imgSrc: ["'self'", 'data:'], - connectSrc: ["'self'"], + connectSrc: isDev ? ["'self'", 'ws://localhost:*'] : ["'self'"], objectSrc: ["'none'"], baseUri: ["'self'"], formAction: ["'self'"], @@ -95,7 +96,7 @@ app.use(helmet({ log.info('[Security] Helmet enabled with CSP configured') // --- CORS Configuration --- -const corsOrigin = process.env.CORS_ORIGIN || '*' // Default to * for development +const corsOrigin = process.env.CORS_ORIGIN || 'https://queuenorth.com' // Default to production domain const corsConfig = cors({ origin: corsOrigin === '*' ? corsOrigin : (corsOrigin === 'null' ? undefined : corsOrigin), methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'], diff --git a/vite.config.js b/vite.config.js index 54659b6..73fc649 100644 --- a/vite.config.js +++ b/vite.config.js @@ -20,6 +20,6 @@ export default defineConfig({ }, build: { outDir: 'dist', - sourcemap: true, + sourcemap: process.env.NODE_ENV !== 'production', }, })