mirror of
https://github.com/Crosstalk-Solutions/project-nomad.git
synced 2026-03-29 04:59:26 +02:00
3ddbe731a5
- CORS: restrict origin from wildcard '*' to app URL from env (prevents cross-origin requests from arbitrary sites) - Sessions: enable @adonisjs/session with cookie store and httpOnly/secure cookie flags; uncomment session middleware in kernel.ts - CSRF: enable shield CSRF protection (requires sessions); uses XSRF-TOKEN cookie mechanism compatible with Inertia.js/Axios; exempts /api/health and SSE transmit endpoints - CSP: enable Content Security Policy with restrictive directives (no object-src, no frame-src, self-only script/style/connect/font) - HSTS: enable HTTP Strict Transport Security in production only - Path traversal: tighten filenameParamValidator to block /, \, .., and shell special characters; reduce max length from 4096 to 255 - env: add URL to .env.example; uncomment SESSION_DRIVER validation in env.ts https://claude.ai/code/session_01WfRC4tDeYprykhMrg4PxX6
19 lines
485 B
Plaintext
19 lines
485 B
Plaintext
PORT=8080
|
|
HOST=localhost
|
|
URL=http://localhost:8080
|
|
LOG_LEVEL=info
|
|
APP_KEY=some_random_key
|
|
NODE_ENV=development
|
|
SESSION_DRIVER=cookie
|
|
DB_HOST=localhost
|
|
DB_PORT=3306
|
|
DB_USER=root
|
|
DB_DATABASE=nomad
|
|
DB_PASSWORD=password
|
|
DB_SSL=false
|
|
REDIS_HOST=localhost
|
|
REDIS_PORT=6379
|
|
# Storage path for NOMAD content (ZIM files, maps, etc.)
|
|
# On Windows dev, use an absolute path like: C:/nomad-storage
|
|
# On Linux production, use: /opt/project-nomad/storage
|
|
NOMAD_STORAGE_PATH=/opt/project-nomad/storage |