fix: security hardening - remove secrets, fix CORS, add non-root user, add Secure flag

2026-05-14 14:23:22 +07:00 · 2026-05-14 14:23:22 +07:00 · 47ad1e47e0
commit 47ad1e47e0
parent 7462e4f413
5 changed files with 16 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -30,9 +30,15 @@ credentials.json
 .vscode/
 *.swp
 # Logs
 *.log
 # Debug files
 *_debug.txt
 # Temporary
 tmp_*/
 # Windows reserved names
 nul
 .gemini/
--- a/4
+++ b/4
@ -60,6 +60,10 @@ ENV GIN_MODE=release
 ARG NEXT_PUBLIC_API_URL=http://127.0.0.1:8080
 ENV NEXT_PUBLIC_API_URL=${NEXT_PUBLIC_API_URL}
 RUN addgroup -S kvtube && adduser -S kvtube -G kvtube && chown -R kvtube:kvtube /app
 USER kvtube
 EXPOSE 3000 8080
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -20,6 +20,10 @@ WORKDIR /app
 COPY --from=builder /app/kv-tube .
 RUN addgroup -S kvtube && adduser -S kvtube -G kvtube && chown -R kvtube:kvtube /app
 USER kvtube
 EXPOSE 8080
 ENV KVTUBE_DATA_DIR=/app/data
--- a/frontend/app/components/RegionSelector.tsx
+++ b/frontend/app/components/RegionSelector.tsx
@ -21,7 +21,7 @@ function getRegionCookie(): string {
 }
 function setRegionCookie(code: string) {
-    document.cookie = `region=${encodeURIComponent(code)}; path=/; max-age=${60 * 60 * 24 * 365}; SameSite=Lax`;
+    document.cookie = `region=${encodeURIComponent(code)}; path=/; max-age=${60 * 60 * 24 * 365}; SameSite=Lax; Secure`;
 }
 export default function RegionSelector() {
--- a/supervisord.conf
+++ b/supervisord.conf
@ -12,7 +12,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-environment=KVTUBE_DATA_DIR="/app/data",GIN_MODE="release",PORT="8080",CORS_ALLOWED_ORIGINS="*"
+environment=KVTUBE_DATA_DIR="/app/data",GIN_MODE="release",PORT="8080"
 [program:frontend]
 command=node server.js