fix: security hardening - remove secrets, fix CORS, add non-root user, add Secure flag

.gitignore

@@ -30,9 +30,15 @@ credentials.json
 .vscode/
 *.swp
 
+# Logs
+*.log
+
 # Debug files
 *_debug.txt
 
 # Temporary
 tmp_*/
+
+# Windows reserved names
+nul
 .gemini/

Dockerfile

@@ -60,6 +60,10 @@ ENV GIN_MODE=release
 ARG NEXT_PUBLIC_API_URL=http://127.0.0.1:8080
 ENV NEXT_PUBLIC_API_URL=${NEXT_PUBLIC_API_URL}
 
+RUN addgroup -S kvtube && adduser -S kvtube -G kvtube && chown -R kvtube:kvtube /app
+
+USER kvtube
+
 EXPOSE 3000 8080
 
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

backend/Dockerfile

@@ -20,6 +20,10 @@ WORKDIR /app
 
 COPY --from=builder /app/kv-tube .
 
+RUN addgroup -S kvtube && adduser -S kvtube -G kvtube && chown -R kvtube:kvtube /app
+
+USER kvtube
+
 EXPOSE 8080
 
 ENV KVTUBE_DATA_DIR=/app/data

frontend/app/components/RegionSelector.tsx

@@ -21,7 +21,7 @@ function getRegionCookie(): string {
 }
 
 function setRegionCookie(code: string) {
-    document.cookie = `region=${encodeURIComponent(code)}; path=/; max-age=${60 * 60 * 24 * 365}; SameSite=Lax`;
+    document.cookie = `region=${encodeURIComponent(code)}; path=/; max-age=${60 * 60 * 24 * 365}; SameSite=Lax; Secure`;
 }
 
 export default function RegionSelector() {

supervisord.conf

@@ -12,7 +12,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-environment=KVTUBE_DATA_DIR="/app/data",GIN_MODE="release",PORT="8080",CORS_ALLOWED_ORIGINS="*"
+environment=KVTUBE_DATA_DIR="/app/data",GIN_MODE="release",PORT="8080"
 
 [program:frontend]
 command=node server.js