akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
debd0d98fcb02f6369415e98579aa17ee54694bc
caddy-proxy-manager/next.config.mjs
fuomag9 debd0d98fc security: fix 17 vulnerabilities from comprehensive pentest 
Fixes identified from full security audit covering auth, crypto,
injection, infrastructure, and configuration security.

Critical:
- C1: Fail-closed on unrecognized NODE_ENV (prevent DEV_SECRET in staging)
- C3: Validate API token expires_at (reject invalid dates that bypass expiry)

High:
- H1: Refresh JWT role from DB on each session (reflect demotions immediately)
- H2: Docker socket proxy for l4-port-manager (restrict API surface)
- H5: Block dangerous WAF custom directives (SecRuleEngine, SecAuditEngine)
- H7: Require explicit NEXTAUTH_TRUST_HOST instead of always trusting Host
- H8: Semantic validation of sync payload (block metadata SSRF, size limits)

Medium:
- M3: Rate limit password change current-password verification
- M5: Parameterized SQL in log/waf parsers (replace template literals)
- M6: Nonce-based CSP replacing unsafe-inline for script-src
- M9: Strip Caddy placeholders from rewrite path_prefix
- M10: Sanitize authentik outpostDomain (path traversal, placeholders)
- M14: Deny access on missing JWT role instead of defaulting to "user"

Low:
- L1: Require Origin header on mutating session-authenticated requests
- L4: Enforce password complexity on user password changes
- L5: Time-limited legacy SHA-256 key fallback (grace period until 2026-06-01)
- L6: Escape LIKE metacharacters in audit log search
- L7: Runtime-validate WAF excluded_rule_ids as positive integers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 12:14:44 +01:00

31 lines
1005 B
JavaScript
Raw Blame History

/* global process */
// When building under Node.js (not Bun), redirect bun:sqlite to a better-sqlite3 shim
// so `next build` works locally without Bun installed.
const isBun = typeof globalThis.Bun !== 'undefined';
/** @type {import('next').NextConfig} */
const nextConfig = {
serverExternalPackages: isBun ? ['bun:sqlite'] : ['better-sqlite3'],
...(!isBun && {
turbopack: {
resolveAlias: {
'bun:sqlite': './tests/helpers/bun-sqlite-compat.ts',
'drizzle-orm/bun-sqlite/migrator': 'drizzle-orm/better-sqlite3/migrator',
'drizzle-orm/bun-sqlite': 'drizzle-orm/better-sqlite3',
},
},
}),
experimental: {
serverActions: {
bodySizeLimit: '2mb'
}
},
output: 'standalone',
// M6: Security headers (CSP, X-Frame-Options, etc.) are set per-request in
// proxy.ts middleware with a unique nonce, so they are NOT defined here.
// Static headers() would override the nonce-based CSP with a nonce-less one.
};
export default nextConfig;
Reference in New Issue View Git Blame Copy Permalink