github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-29 21:19:25 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
cd28a109b9
project-nomad/admin/start/env.ts
Claude 3ddbe731a5
security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal 
- CORS: restrict origin from wildcard '*' to app URL from env (prevents
  cross-origin requests from arbitrary sites)
- Sessions: enable @adonisjs/session with cookie store and httpOnly/secure
  cookie flags; uncomment session middleware in kernel.ts
- CSRF: enable shield CSRF protection (requires sessions); uses XSRF-TOKEN
  cookie mechanism compatible with Inertia.js/Axios; exempts /api/health
  and SSE transmit endpoints
- CSP: enable Content Security Policy with restrictive directives
  (no object-src, no frame-src, self-only script/style/connect/font)
- HSTS: enable HTTP Strict Transport Security in production only
- Path traversal: tighten filenameParamValidator to block /, \, ..,
  and shell special characters; reduce max length from 4096 to 255
- env: add URL to .env.example; uncomment SESSION_DRIVER validation in env.ts

https://claude.ai/code/session_01WfRC4tDeYprykhMrg4PxX6
2026-03-22 21:11:18 +00:00

64 lines
2.1 KiB
TypeScript
Raw Blame History

/*
|--------------------------------------------------------------------------
| Environment variables service
|--------------------------------------------------------------------------
|
| The `Env.create` method creates an instance of the Env service. The
| service validates the environment variables and also cast values
| to JavaScript data types.
|
*/
import { Env } from '@adonisjs/core/env'
export default await Env.create(new URL('../', import.meta.url), {
NODE_ENV: Env.schema.enum(['development', 'production', 'test'] as const),
PORT: Env.schema.number(),
APP_KEY: Env.schema.string(),
HOST: Env.schema.string({ format: 'host' }),
URL: Env.schema.string(),
LOG_LEVEL: Env.schema.string(),
INTERNET_STATUS_TEST_URL: Env.schema.string.optional(),
/*
|----------------------------------------------------------
| Variables for configuring storage paths
|----------------------------------------------------------
*/
NOMAD_STORAGE_PATH: Env.schema.string.optional(),
/*
|----------------------------------------------------------
| Variables for configuring session package
|----------------------------------------------------------
*/
SESSION_DRIVER: Env.schema.enum(['cookie', 'memory'] as const),
/*
|----------------------------------------------------------
| Variables for configuring the database package
|----------------------------------------------------------
*/
DB_HOST: Env.schema.string({ format: 'host' }),
DB_PORT: Env.schema.number(),
DB_USER: Env.schema.string(),
DB_PASSWORD: Env.schema.string.optional(),
DB_DATABASE: Env.schema.string(),
DB_SSL: Env.schema.boolean.optional(),
/*
|----------------------------------------------------------
| Variables for configuring the Redis connection
|----------------------------------------------------------
*/
REDIS_HOST: Env.schema.string({ format: 'host' }),
REDIS_PORT: Env.schema.number(),
/*
|----------------------------------------------------------
| Variables for configuring Project Nomad's external API URL
|----------------------------------------------------------
*/
NOMAD_API_URL: Env.schema.string.optional(),
})
Reference in New Issue View Git Blame Copy Permalink