fix: disable prod sourcemaps, secure CORS default, allow HMR websocket (#122 #124 #131) (batch 9.6)

This commit is contained in:
null 2026-05-17 21:53:39 -05:00
parent 53e2873fd4
commit f8d380ebab
2 changed files with 4 additions and 3 deletions

View File

@ -61,13 +61,14 @@ const apiLimiter = rateLimit({
}) })
// --- Security Headers (Helmet) --- // --- Security Headers (Helmet) ---
const isDev = process.env.NODE_ENV === 'development'
const cspDirectives = { const cspDirectives = {
defaultSrc: ["'self'"], defaultSrc: ["'self'"],
scriptSrc: ["'self'"], scriptSrc: ["'self'"],
styleSrc: ["'self'", 'https://fonts.googleapis.com'], styleSrc: ["'self'", 'https://fonts.googleapis.com'],
fontSrc: ["'self'", 'https://fonts.gstatic.com'], fontSrc: ["'self'", 'https://fonts.gstatic.com'],
imgSrc: ["'self'", 'data:'], imgSrc: ["'self'", 'data:'],
connectSrc: ["'self'"], connectSrc: isDev ? ["'self'", 'ws://localhost:*'] : ["'self'"],
objectSrc: ["'none'"], objectSrc: ["'none'"],
baseUri: ["'self'"], baseUri: ["'self'"],
formAction: ["'self'"], formAction: ["'self'"],
@ -95,7 +96,7 @@ app.use(helmet({
log.info('[Security] Helmet enabled with CSP configured') log.info('[Security] Helmet enabled with CSP configured')
// --- CORS Configuration --- // --- CORS Configuration ---
const corsOrigin = process.env.CORS_ORIGIN || '*' // Default to * for development const corsOrigin = process.env.CORS_ORIGIN || 'https://queuenorth.com' // Default to production domain
const corsConfig = cors({ const corsConfig = cors({
origin: corsOrigin === '*' ? corsOrigin : (corsOrigin === 'null' ? undefined : corsOrigin), origin: corsOrigin === '*' ? corsOrigin : (corsOrigin === 'null' ? undefined : corsOrigin),
methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'], methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],

View File

@ -20,6 +20,6 @@ export default defineConfig({
}, },
build: { build: {
outDir: 'dist', outDir: 'dist',
sourcemap: true, sourcemap: process.env.NODE_ENV !== 'production',
}, },
}) })