security hardening, team invites, granular locking, view counts, board subscriptions, scheduled changelog, mentions, recovery codes, accessibility and hover states

2026-03-21 17:37:01 +02:00
parent f07eddf29e
commit 5ba25fb956
142 changed files with 30397 additions and 2287 deletions
--- a/packages/api/src/middleware/security.ts
+++ b/packages/api/src/middleware/security.ts
@@ -2,26 +2,51 @@ import { FastifyInstance } from "fastify";
 import fp from "fastify-plugin";

 async function securityPlugin(app: FastifyInstance) {
-  app.addHook("onSend", async (_req, reply) => {
-    reply.header("Content-Security-Policy", [
-      "default-src 'self'",
-      "script-src 'self'",
-      "style-src 'self' 'unsafe-inline'",
-      "img-src 'self' data:",
-      "font-src 'self'",
-      "connect-src 'self'",
-      "frame-ancestors 'none'",
-      "base-uri 'self'",
-      "form-action 'self'",
-    ].join("; "));
+  app.addHook("onSend", async (req, reply) => {
+    const isEmbed = req.url.startsWith("/api/v1/embed/") || req.url.startsWith("/embed/");
+
+    if (isEmbed) {
+      // embed routes need to be frameable by third-party sites
+      reply.header("Content-Security-Policy", [
+        "default-src 'self'",
+        "script-src 'self'",
+        "style-src 'self' 'unsafe-inline'",
+        "img-src 'self' data:",
+        "font-src 'self'",
+        "connect-src 'self'",
+        "frame-src 'none'",
+        "object-src 'none'",
+        "frame-ancestors *",
+        "base-uri 'self'",
+        "form-action 'none'",
+      ].join("; "));
+      reply.header("Cross-Origin-Resource-Policy", "cross-origin");
+      reply.header("Access-Control-Allow-Origin", "*");
+      reply.header("Access-Control-Allow-Credentials", "false");
+    } else {
+      reply.header("Content-Security-Policy", [
+        "default-src 'self'",
+        "script-src 'self'",
+        "style-src 'self' 'unsafe-inline'",
+        "img-src 'self' data:",
+        "font-src 'self'",
+        "connect-src 'self'",
+        "frame-src 'none'",
+        "object-src 'none'",
+        "frame-ancestors 'none'",
+        "base-uri 'self'",
+        "form-action 'self'",
+      ].join("; "));
+      reply.header("X-Frame-Options", "DENY");
+      reply.header("Cross-Origin-Opener-Policy", "same-origin");
+      reply.header("Cross-Origin-Resource-Policy", "same-origin");
+    }
+
    reply.header("Referrer-Policy", "no-referrer");
    reply.header("X-Content-Type-Options", "nosniff");
-    reply.header("X-Frame-Options", "DENY");
-    reply.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
-    reply.header("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
+    reply.header("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload");
+    reply.header("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=()");
    reply.header("X-DNS-Prefetch-Control", "off");
-    reply.header("Cross-Origin-Opener-Policy", "same-origin");
-    reply.header("Cross-Origin-Resource-Policy", "same-origin");
  });
 }