update osm
This commit is contained in:
@@ -45,7 +45,11 @@ locally and only proxies the API routes used by the app:
|
||||
|
||||
The proxy blocks cross-origin/API-navigation requests, strips CORS headers from
|
||||
the upstream response, rate limits callers, and caches successful GET responses
|
||||
briefly so public page traffic does not hammer the upstream API.
|
||||
briefly so public page traffic does not hammer the upstream API. All responses
|
||||
ship `X-Content-Type-Options`, `X-Frame-Options: DENY`, `Referrer-Policy`,
|
||||
`Permissions-Policy`, `Cross-Origin-Opener-Policy`, `Cross-Origin-Resource-Policy`,
|
||||
HSTS (over HTTPS), and HTML responses include a Content Security Policy that
|
||||
allows only Cloudflare Turnstile and the CARTO basemap tiles.
|
||||
|
||||
Override the API target before starting PM2 if needed:
|
||||
|
||||
@@ -68,6 +72,22 @@ API_RATE_LIMIT_WINDOW_MS=60000
|
||||
API_RATE_LIMIT_MAX=120
|
||||
```
|
||||
|
||||
## Reverse proxy / Cloudflare
|
||||
|
||||
The server only honours `CF-Connecting-IP`, `X-Forwarded-For`, `X-Forwarded-Proto`,
|
||||
and the Cloudflare geolocation headers when the immediate TCP peer is listed in
|
||||
`TRUSTED_UPSTREAM_IPS`. Bind the server to `127.0.0.1` (or leave it on `0.0.0.0`
|
||||
behind a firewall) and front it with nginx/Cloudflare for the configuration to
|
||||
take effect:
|
||||
|
||||
```sh
|
||||
TRUST_PROXY=cloudflare
|
||||
TRUSTED_UPSTREAM_IPS=127.0.0.1,::1,::ffff:127.0.0.1
|
||||
```
|
||||
|
||||
Set `TRUST_PROXY=none` if the server is exposed directly. Without it, an attacker
|
||||
that reaches the app port can spoof client-IP headers to bypass rate limiting.
|
||||
|
||||
## Uptime snapshots
|
||||
|
||||
The production server samples uptime every 30 minutes and exposes the history at
|
||||
@@ -120,14 +140,32 @@ setup, and actual data fields.
|
||||
The webhook process listens on port `3011` at `/github`. Configure GitHub to send
|
||||
push events there.
|
||||
|
||||
Set a webhook secret before starting PM2 if you want signature validation:
|
||||
A webhook secret is required — without `GITHUB_WEBHOOK_SECRET`, the webhook
|
||||
rejects every request:
|
||||
|
||||
```sh
|
||||
GITHUB_WEBHOOK_SECRET=your-secret pm2 start ecosystem.config.cjs
|
||||
```
|
||||
|
||||
On PowerShell, set `$env:GITHUB_WEBHOOK_SECRET = "your-secret"` before starting
|
||||
PM2, or put the value directly in `ecosystem.config.cjs`.
|
||||
PM2, or put the value in a `.env` file in the project root (recommended over
|
||||
inlining the secret in a shell command, which writes it to shell history).
|
||||
|
||||
The webhook only deploys pushes whose `ref` is in `GITHUB_WEBHOOK_REFS`
|
||||
(default `refs/heads/main`). Optionally pin the repository:
|
||||
|
||||
```sh
|
||||
GITHUB_WEBHOOK_REFS=refs/heads/main
|
||||
GITHUB_WEBHOOK_REPOSITORY=owner/repo
|
||||
```
|
||||
|
||||
Deploys run `npm ci` (not `npm install`) so an attacker who compromises a
|
||||
dependency cannot quietly add new packages — the lockfile is the source of
|
||||
truth.
|
||||
|
||||
Set `DISCORD_INCLUDE_PATCH=true` only if the Discord channel is private; by
|
||||
default the patch preview is omitted from Discord notifications to avoid
|
||||
leaking diff contents.
|
||||
|
||||
The default deploy flow is:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user