chore(docker): .dockerignore angepasst; lokale Build-Schritte in Rebuild-Skripten; Doku/README zu production vs production-prebuilt aktualisiert

2025-10-06 18:59:17 +02:00
parent 7a84130aec
commit 1124b1f40b
24 changed files with 1149 additions and 270 deletions
--- a/server-dist/index.js
+++ b/server-dist/index.js
@@ -1,14 +1,59 @@
 import { Hono } from "hono";
 import { serve } from '@hono/node-server';
 import { serveStatic } from '@hono/node-server/serve-static';
+import { cors } from 'hono/cors';
 import { rpcApp } from "./routes/rpc.js";
 import { caldavApp } from "./routes/caldav.js";
 import { clientEntry } from "./routes/client-entry.js";
 const app = new Hono();
-// Allow all hosts for Tailscale Funnel
+// CORS Configuration
+const isDev = process.env.NODE_ENV === 'development';
+const domain = process.env.DOMAIN || 'localhost:5173';
+// Build allowed origins list
+const allowedOrigins = [
+    `https://${domain}`,
+    isDev ? `http://${domain}` : null,
+    isDev ? 'http://localhost:5173' : null,
+    isDev ? 'http://localhost:3000' : null,
+].filter((origin) => origin !== null);
+app.use('*', cors({
+    origin: (origin) => {
+        // Allow requests with no origin (e.g., mobile apps, curl, Postman)
+        if (!origin)
+            return null;
+        // Check if origin is in whitelist
+        if (allowedOrigins.includes(origin)) {
+            return origin;
+        }
+        // Reject all other origins
+        return null;
+    },
+    credentials: true, // Enable cookies for authentication
+    allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+    allowHeaders: ['Content-Type', 'Authorization', 'X-CSRF-Token'],
+    exposeHeaders: ['Set-Cookie'],
+    maxAge: 86400, // Cache preflight requests for 24 hours
+}));
+// Content-Security-Policy and other security headers
 app.use("*", async (c, next) => {
-    // Accept requests from any host
-    return next();
+    const isDev = process.env.NODE_ENV === 'development';
+    const directives = [
+        "default-src 'self'",
+        `script-src 'self'${isDev ? " 'unsafe-inline'" : ''}`,
+        "style-src 'self' 'unsafe-inline'",
+        "img-src 'self' data: https:",
+        "font-src 'self' data:",
+        "connect-src 'self'",
+        "frame-ancestors 'none'",
+        "base-uri 'self'",
+        "form-action 'self'",
+    ];
+    const csp = directives.join('; ');
+    c.header('Content-Security-Policy', csp);
+    c.header('X-Content-Type-Options', 'nosniff');
+    c.header('X-Frame-Options', 'DENY');
+    c.header('Referrer-Policy', 'strict-origin-when-cross-origin');
+    await next();
 });
 // Health check endpoint
 app.get("/health", (c) => {