feat: production-harden app and finalize merge-ready UX/theme baseline
- complete tokenized theme preset system and admin style guide visibility - refine dashboard layout/scroll behavior and shared async/request UI states - add user nav-visibility settings across API, migration, and frontend stores - harden security headers/CSP handling and related test coverage - enforce CI repository hygiene + frontend contract/theme/build quality gates - update docs/env references and make migration smoke test head-aware
This commit is contained in:
parent
ab1d29b203
commit
ae2ca8f149
66 changed files with 5655 additions and 853 deletions
15
.env.example
15
.env.example
|
|
@ -21,6 +21,21 @@ MIGRATE_ON_START=1
|
|||
|
||||
SESSION_SECRET_KEY=replace-with-a-long-random-secret-at-least-32-characters
|
||||
SESSION_COOKIE_SECURE=1
|
||||
SECURITY_HEADERS_ENABLED=1
|
||||
SECURITY_X_CONTENT_TYPE_OPTIONS=nosniff
|
||||
SECURITY_X_FRAME_OPTIONS=DENY
|
||||
SECURITY_REFERRER_POLICY=strict-origin-when-cross-origin
|
||||
SECURITY_PERMISSIONS_POLICY=accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), microphone=(), payment=(), usb=()
|
||||
SECURITY_CROSS_ORIGIN_OPENER_POLICY=same-origin
|
||||
SECURITY_CROSS_ORIGIN_RESOURCE_POLICY=same-origin
|
||||
SECURITY_CSP_ENABLED=1
|
||||
SECURITY_CSP_POLICY=default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https:; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self'; object-src 'none'
|
||||
SECURITY_CSP_DOCS_POLICY=default-src 'self'; img-src 'self' data: https:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' https:; object-src 'none'; frame-ancestors 'none'
|
||||
SECURITY_CSP_REPORT_ONLY=0
|
||||
SECURITY_STRICT_TRANSPORT_SECURITY_ENABLED=0
|
||||
SECURITY_STRICT_TRANSPORT_SECURITY_MAX_AGE=31536000
|
||||
SECURITY_STRICT_TRANSPORT_SECURITY_INCLUDE_SUBDOMAINS=1
|
||||
SECURITY_STRICT_TRANSPORT_SECURITY_PRELOAD=0
|
||||
LOGIN_RATE_LIMIT_ATTEMPTS=5
|
||||
LOGIN_RATE_LIMIT_WINDOW_SECONDS=60
|
||||
LOG_LEVEL=INFO
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue