Claude 3ddbe731a5 security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal ... - CORS: restrict origin from wildcard '*' to app URL from env (prevents cross-origin requests from arbitrary sites) - Sessions: enable @adonisjs/session with cookie store and httpOnly/secure cookie flags; uncomment session middleware in kernel.ts - CSRF: enable shield CSRF protection (requires sessions); uses XSRF-TOKEN cookie mechanism compatible with Inertia.js/Axios; exempts /api/health and SSE transmit endpoints - CSP: enable Content Security Policy with restrictive directives (no object-src, no frame-src, self-only script/style/connect/font) - HSTS: enable HTTP Strict Transport Security in production only - Path traversal: tighten filenameParamValidator to block /, \, .., and shell special characters; reduce max length from 4096 to 255 - env: add URL to .env.example; uncomment SESSION_DRIVER validation in env.ts https://claude.ai/code/session_01WfRC4tDeYprykhMrg4PxX6		2026-03-22 21:11:18 +00:00
..
app.ts	feat: initial commit	2025-06-29 15:51:08 -07:00
bodyparser.ts	feat: initial commit	2025-06-29 15:51:08 -07:00
cors.ts	security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal	2026-03-22 21:11:18 +00:00
database.ts	feat: initial commit	2025-06-29 15:51:08 -07:00
hash.ts	feat: initial commit	2025-06-29 15:51:08 -07:00
inertia.ts	feat(AI Assistant): custom name option for AI Assistant	2026-03-04 20:05:14 -08:00
logger.ts	feat: make Nomad fully composable	2026-03-20 11:46:10 -07:00
queue.ts	feat: background job overhaul with bullmq	2025-12-06 23:59:01 -08:00
session.ts	security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal	2026-03-22 21:11:18 +00:00
shield.ts	security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal	2026-03-22 21:11:18 +00:00
static.ts	feat: background job overhaul with bullmq	2025-12-06 23:59:01 -08:00
transmit.ts	fix(ui): reduce SSE reconnect churn and polling overhead on navigation	2026-03-20 11:46:10 -07:00
vite.ts	feat: initial commit	2025-06-29 15:51:08 -07:00