From 47ad1e47e04b05637be029168e4cbc0079ca9ee2 Mon Sep 17 00:00:00 2001
From: Khoa Vo <vndangkhoa@gmail.com>
Date: Thu, 14 May 2026 14:23:22 +0700
Subject: [PATCH] fix: security hardening - remove secrets, fix CORS, add
 non-root user, add Secure flag

---
 .gitignore                                 | 6 ++++++
 Dockerfile                                 | 4 ++++
 backend/Dockerfile                         | 4 ++++
 frontend/app/components/RegionSelector.tsx | 2 +-
 supervisord.conf                           | 2 +-
 5 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index c534ce0..e51e2bb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,9 +30,15 @@ credentials.json
 .vscode/
 *.swp
 
+# Logs
+*.log
+
 # Debug files
 *_debug.txt
 
 # Temporary
 tmp_*/
+
+# Windows reserved names
+nul
 .gemini/
diff --git a/Dockerfile b/Dockerfile
index e804d30..e792320 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -60,6 +60,10 @@ ENV GIN_MODE=release
 ARG NEXT_PUBLIC_API_URL=http://127.0.0.1:8080
 ENV NEXT_PUBLIC_API_URL=${NEXT_PUBLIC_API_URL}
 
+RUN addgroup -S kvtube && adduser -S kvtube -G kvtube && chown -R kvtube:kvtube /app
+
+USER kvtube
+
 EXPOSE 3000 8080
 
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
diff --git a/backend/Dockerfile b/backend/Dockerfile
index 861a92c..d5c7bdc 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -20,6 +20,10 @@ WORKDIR /app
 
 COPY --from=builder /app/kv-tube .
 
+RUN addgroup -S kvtube && adduser -S kvtube -G kvtube && chown -R kvtube:kvtube /app
+
+USER kvtube
+
 EXPOSE 8080
 
 ENV KVTUBE_DATA_DIR=/app/data
diff --git a/frontend/app/components/RegionSelector.tsx b/frontend/app/components/RegionSelector.tsx
index a5ef311..0af68be 100644
--- a/frontend/app/components/RegionSelector.tsx
+++ b/frontend/app/components/RegionSelector.tsx
@@ -21,7 +21,7 @@ function getRegionCookie(): string {
 }
 
 function setRegionCookie(code: string) {
-    document.cookie = `region=${encodeURIComponent(code)}; path=/; max-age=${60 * 60 * 24 * 365}; SameSite=Lax`;
+    document.cookie = `region=${encodeURIComponent(code)}; path=/; max-age=${60 * 60 * 24 * 365}; SameSite=Lax; Secure`;
 }
 
 export default function RegionSelector() {
diff --git a/supervisord.conf b/supervisord.conf
index a38da79..db83b44 100644
--- a/supervisord.conf
+++ b/supervisord.conf
@@ -12,7 +12,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-environment=KVTUBE_DATA_DIR="/app/data",GIN_MODE="release",PORT="8080",CORS_ALLOWED_ORIGINS="*"
+environment=KVTUBE_DATA_DIR="/app/data",GIN_MODE="release",PORT="8080"
 
 [program:frontend]
 command=node server.js