update osm

This commit is contained in:
Heidi
2026-05-16 09:35:51 +01:00
parent f36bdf3738
commit e44b263f2e
6 changed files with 310 additions and 25 deletions
+41 -3
View File
@@ -45,7 +45,11 @@ locally and only proxies the API routes used by the app:
The proxy blocks cross-origin/API-navigation requests, strips CORS headers from
the upstream response, rate limits callers, and caches successful GET responses
briefly so public page traffic does not hammer the upstream API.
briefly so public page traffic does not hammer the upstream API. All responses
ship `X-Content-Type-Options`, `X-Frame-Options: DENY`, `Referrer-Policy`,
`Permissions-Policy`, `Cross-Origin-Opener-Policy`, `Cross-Origin-Resource-Policy`,
HSTS (over HTTPS), and HTML responses include a Content Security Policy that
allows only Cloudflare Turnstile and the CARTO basemap tiles.
Override the API target before starting PM2 if needed:
@@ -68,6 +72,22 @@ API_RATE_LIMIT_WINDOW_MS=60000
API_RATE_LIMIT_MAX=120
```
## Reverse proxy / Cloudflare
The server only honours `CF-Connecting-IP`, `X-Forwarded-For`, `X-Forwarded-Proto`,
and the Cloudflare geolocation headers when the immediate TCP peer is listed in
`TRUSTED_UPSTREAM_IPS`. Bind the server to `127.0.0.1` (or leave it on `0.0.0.0`
behind a firewall) and front it with nginx/Cloudflare for the configuration to
take effect:
```sh
TRUST_PROXY=cloudflare
TRUSTED_UPSTREAM_IPS=127.0.0.1,::1,::ffff:127.0.0.1
```
Set `TRUST_PROXY=none` if the server is exposed directly. Without it, an attacker
that reaches the app port can spoof client-IP headers to bypass rate limiting.
## Uptime snapshots
The production server samples uptime every 30 minutes and exposes the history at
@@ -120,14 +140,32 @@ setup, and actual data fields.
The webhook process listens on port `3011` at `/github`. Configure GitHub to send
push events there.
Set a webhook secret before starting PM2 if you want signature validation:
A webhook secret is required — without `GITHUB_WEBHOOK_SECRET`, the webhook
rejects every request:
```sh
GITHUB_WEBHOOK_SECRET=your-secret pm2 start ecosystem.config.cjs
```
On PowerShell, set `$env:GITHUB_WEBHOOK_SECRET = "your-secret"` before starting
PM2, or put the value directly in `ecosystem.config.cjs`.
PM2, or put the value in a `.env` file in the project root (recommended over
inlining the secret in a shell command, which writes it to shell history).
The webhook only deploys pushes whose `ref` is in `GITHUB_WEBHOOK_REFS`
(default `refs/heads/main`). Optionally pin the repository:
```sh
GITHUB_WEBHOOK_REFS=refs/heads/main
GITHUB_WEBHOOK_REPOSITORY=owner/repo
```
Deploys run `npm ci` (not `npm install`) so an attacker who compromises a
dependency cannot quietly add new packages — the lockfile is the source of
truth.
Set `DISCORD_INCLUDE_PATCH=true` only if the Discord channel is private; by
default the patch preview is omitted from Discord notifications to avoid
leaking diff contents.
The default deploy flow is: