- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
for inactive/locked users, locked_until check in loadAuthData, TOTP
fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
numbering.service releaseSequence no-op, nas-offers filename sanitize,
Content-Disposition header injection fix, mojibake Czech strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
39 lines
1.2 KiB
TypeScript
39 lines
1.2 KiB
TypeScript
import { FastifyReply, FastifyRequest } from "fastify";
|
|
import { config } from "../config/env";
|
|
|
|
export async function securityHeaders(
|
|
_request: FastifyRequest,
|
|
reply: FastifyReply,
|
|
): Promise<void> {
|
|
reply.header("X-Content-Type-Options", "nosniff");
|
|
reply.header("X-Frame-Options", "DENY");
|
|
reply.header("Referrer-Policy", "strict-origin-when-cross-origin");
|
|
reply.header(
|
|
"Permissions-Policy",
|
|
"camera=(), microphone=(), geolocation=(self)",
|
|
);
|
|
reply.header("Cross-Origin-Opener-Policy", "same-origin");
|
|
reply.header("Cross-Origin-Resource-Policy", "same-origin");
|
|
|
|
if (config.isProduction) {
|
|
reply.header(
|
|
"Strict-Transport-Security",
|
|
"max-age=31536000; includeSubDomains",
|
|
);
|
|
reply.header(
|
|
"Content-Security-Policy",
|
|
[
|
|
"default-src 'self'",
|
|
"script-src 'self'",
|
|
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
|
|
"font-src 'self' https://fonts.gstatic.com",
|
|
"img-src 'self' data: blob: https://*.tile.openstreetmap.org",
|
|
"connect-src 'self' https://nominatim.openstreetmap.org",
|
|
"frame-ancestors 'none'",
|
|
"form-action 'self'",
|
|
"base-uri 'self'",
|
|
].join("; "),
|
|
);
|
|
}
|
|
}
|