chore(contrib): security headers in example nginx/caddy configs (P6-4)
Add HSTS + Permissions-Policy + the standard X-Frame/X-Content/Referrer set to the contrib nginx (443 block) and caddy examples; fix the caddy SPA try_files fallback (stray space). Generic (no homeserver-specific CSP). The real prod config lives in the matrix repo. P6-4 trimmed to headers only — patch-package / types-drift / build-config skipped (see LOTUS_TODO). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
+8
-1
@@ -553,7 +553,14 @@ _Original scope:_
|
||||
- **Live bookmark previews** — `BookmarksPanel` shows a stale snapshot captured at save time; resolve live from the event when cached (edits/redactions), fall back to the snapshot.
|
||||
- Other small paper-cuts as scoped.
|
||||
|
||||
### [ ] P6-4 · Hygiene sweep
|
||||
### [~] P6-4 · Hygiene sweep - TRIMMED (2026-07): security headers only
|
||||
|
||||
**Shipped:** HSTS + Permissions-Policy on the real prod nginx (`matrix/cinny/nginx.conf`, already had X-Frame/CSP/Referrer) + synced the `contrib/nginx` + `contrib/caddy` examples (also fixed the caddy `try_files` SPA fallback). Permissions-Policy allows `self` for the features the app uses (camera/mic/display-capture/geolocation/autoplay/fullscreen), denies unused. **User must `nginx -s reload` on the LXC + verify calls/location still work.**
|
||||
**WON'T-DO (rationale):** patch-package migration - the current `patch-folds.mjs` is already robust (fails hard on drift) and patch-package would be more brittle to folds restructuring; `types/matrix` drift - risky spot-fixes with no concrete bug; build-config streamlining - build is already ~5s. Known follow-up: nginx `add_header` isn't inherited by the cache `location` blocks (pre-existing; the SPA entry `/` still gets all headers, so HSTS is delivered).
|
||||
|
||||
_Original scope:_
|
||||
|
||||
### [ ] P6-4-orig · Hygiene sweep
|
||||
|
||||
- `patch-folds.mjs` (edits `node_modules` directly) → `patch-package`.
|
||||
- `contrib/nginx` + `contrib/caddy`: security headers (HSTS/CSP), `try_files` over rewrites, fix the caddy placeholder path.
|
||||
|
||||
Reference in New Issue
Block a user