[MEDIUM] Security: CORS, HTTPS, secrets in code #16

New Issue

NW · 2026-04-19T11:21:33Z

NW commented

2026-04-19 11:21:33 +00:00

Problem

Multiple security issues for production.

Issues:

CORS set to * (allows all origins) — must restrict to domain
No HTTPS in Docker config
Admin password hardcoded in seed: Admin@2026!
No CSRF token verification on POST requests
No helmet/security headers
No rate limiting on static files

Required:

Restrict CORS to specific origins
Add HTTPS support (reverse proxy or direct)
Move seed password to env variable
Verify CSRF token on state-changing requests
Add security headers

Files: src/server/index.ts, docker-compose.yml, Dockerfile

Migrated from UniqueSoft/APAW#81

## Problem Multiple security issues for production. ### Issues: 1. CORS set to * (allows all origins) — must restrict to domain 2. No HTTPS in Docker config 3. Admin password hardcoded in seed: Admin@2026! 4. No CSRF token verification on POST requests 5. No helmet/security headers 6. No rate limiting on static files ### Required: - [ ] Restrict CORS to specific origins - [ ] Add HTTPS support (reverse proxy or direct) - [ ] Move seed password to env variable - [ ] Verify CSRF token on state-changing requests - [ ] Add security headers ### Files: src/server/index.ts, docker-compose.yml, Dockerfile --- *Migrated from UniqueSoft/APAW#81*

NW added this to the Production Readiness - Phase 2 milestone 2026-04-19 11:21:33 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: UniqueSoft/TenerifeProp#16