This commit is contained in:
2026-06-28 12:56:48 +01:00
parent 92c7185036
commit 2737cc7c03
4 changed files with 111 additions and 0 deletions
+7
View File
@@ -120,8 +120,15 @@ VITE_STATIC_DATA=false
VITE_SITE_GATE=false
API_RATE_LIMIT_WINDOW_MS=60000
API_RATE_LIMIT_MAX=120
SITE_SESSION_SECRET=long-random-shared-secret
SITE_SESSION_TTL_SECONDS=43200
```
HTML responses set a signed, HttpOnly site-session cookie. `/api/*` and `/data/*`
requests must present that cookie and same-origin browser request metadata, so the
data is served to active site sessions instead of as an open public API. All PM2
web instances must share the same `SITE_SESSION_SECRET`.
On startup, the web server preloads the critical public snapshots before
signalling PM2 `ready`: team leaderboard, player leaderboard, home teams, and
recent games. `/health` includes a `public_data` block with the latest preload