aknuth/bizmatch-project
1
0
Fork 0
Code Issues 9 Pull Requests Packages Projects 5 Releases Wiki Activity

feat: Add comprehensive user authentication, listing management, and core UI components.

Browse Source
This commit is contained in:
Timo Knuth
2026-02-04 21:32:25 +01:00
parent 737329794c
commit 23f7caedeb
34 changed files with 223 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bizmatch-server/package.json
View File

@@ -47,6 +47,7 @@
"fs-extra": "^11.2.0",
"groq-sdk": "^0.5.0",
"handlebars": "^4.7.8",
"helmet": "^8.1.0",
"nest-winston": "^1.9.4",
"nestjs-cls": "^5.4.0",
"nodemailer": "^7.0.12",
@@ -109,4 +110,4 @@
"coverageDirectory": "../coverage",
"testEnvironment": "node"
}
}
}

32
bizmatch-server/src/main.ts
View File

@@ -1,6 +1,7 @@
import { LoggerService } from '@nestjs/common';
import { NestFactory } from '@nestjs/core';
import express from 'express';
import helmet from 'helmet';
import { WINSTON_MODULE_NEST_PROVIDER } from 'nest-winston';
import { AppModule } from './app.module';
@@ -22,6 +23,37 @@ async function bootstrap() {
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
allowedHeaders: 'Content-Type, Accept, Authorization, x-hide-loading',
});
// Security Headers with helmet
app.use(
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "https://fonts.googleapis.com"],
styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
imgSrc: ["'self'", "data:", "https:", "blob:"],
connectSrc: ["'self'", "https://api.bizmatch.net", "https://*.firebaseapp.com", "https://*.googleapis.com"],
fontSrc: ["'self'", "https://fonts.gstatic.com", "data:"],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'self'"],
},
},
crossOriginEmbedderPolicy: false, // Disable for now to avoid breaking existing functionality
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true,
},
frameguard: {
action: 'sameorigin', // Allow same-origin framing
},
crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' }, // Allow popups for OAuth
crossOriginResourcePolicy: { policy: 'cross-origin' }, // Allow cross-origin resources
}),
);
await app.listen(process.env.PORT || 3001);
}
bootstrap();