6b31b2f74b
- System settings page with tabs: Security, System, Firma
- Configurable attendance rules (break thresholds, rounding) from DB
- Configurable document numbering with template patterns ({YYYY}/{PREFIX}/{NNN})
- Dynamic logo upload (light/dark variants) served from DB instead of static files
- Email settings (SMTP from/name, alert/leave emails) configurable in UI
- Currency and VAT rate lists configurable, used across all modules
- Permissions simplified: offers.settings + settings.roles + settings.security → settings.manage
- Leaflet bundled locally, removed unpkg.com from CSP
- Silent catch blocks fixed with proper logging
- console.log replaced with app.log.info in server.ts
- Schema renamed: company-settings.schema → settings.schema
- App info section: version, Node.js, uptime, memory, DB status, NAS status
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
34 lines
1020 B
TypeScript
34 lines
1020 B
TypeScript
import { FastifyReply, FastifyRequest } from "fastify";
|
|
import { config } from "../config/env";
|
|
|
|
export async function securityHeaders(
|
|
_request: FastifyRequest,
|
|
reply: FastifyReply,
|
|
): Promise<void> {
|
|
reply.header("X-Content-Type-Options", "nosniff");
|
|
reply.header("X-Frame-Options", "DENY");
|
|
reply.header("Referrer-Policy", "strict-origin-when-cross-origin");
|
|
reply.header(
|
|
"Permissions-Policy",
|
|
"camera=(), microphone=(), geolocation=(self)",
|
|
);
|
|
|
|
if (config.isProduction) {
|
|
reply.header(
|
|
"Strict-Transport-Security",
|
|
"max-age=31536000; includeSubDomains",
|
|
);
|
|
reply.header(
|
|
"Content-Security-Policy",
|
|
[
|
|
"default-src 'self'",
|
|
"script-src 'self'",
|
|
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
|
|
"font-src 'self' https://fonts.gstatic.com",
|
|
"img-src 'self' data: blob: https://*.tile.openstreetmap.org",
|
|
"connect-src 'self' https://nominatim.openstreetmap.org",
|
|
].join("; "),
|
|
);
|
|
}
|
|
}
|