nns/food-market
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
food-market/deploy
History
nns a80471d0f9
Some checks failed
Auto-tag / Create date-tag (push) Waiting to run
Details
CI / Backend (.NET 8) (push) Waiting to run
Details
CI / Web (React + Vite) (push) Waiting to run
Details
CI / POS (WPF, Windows) (push) Waiting to run
Details
Docker Web / Build + push Web (push) Has been cancelled
Details
Docker Web / Deploy Web on stage (push) Has been cancelled
Details
fix(security): add HSTS header on stage + integration test 
Найдено в Sprint 28 security audit: stage отдаёт security-заголовки
(CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy и др.), но
БЕЗ Strict-Transport-Security. HSTS из ASP.NET Core (Program.cs UseHsts)
не срабатывает потому что api за nginx-прокси видит запрос как HTTP
(нет ForwardedHeaders middleware'a; nginx X-Forwarded-Proto не дешифруется).

Простейший фикс: добавить HSTS в deploy/nginx.conf (web-контейнер).
Brower honors HSTS только на HTTPS-ответах — безопасно unconditional.

max-age=2592000 (30 дней), без includeSubDomains и без preload —
pre-emptive consent, можно безопасно убрать. Когда production stack
устаканится и admin.food-market.kz будет подан в hstspreload.org —
увеличить до 31536000 + preload + includeSubDomains.

Verified:
  curl -I https://test.admin.food-market.kz/ | grep -i strict
  > strict-transport-security: max-age=2592000

Integration test 08-security-headers.spec.ts проверяет 7 security-
заголовков на главной + на 404 (always-параметр).

Cert: 10/10 integration tests passed in 1.3m.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-09 03:35:38 +05:00
..
forgejo ops: Forgejo on git.zat.kz as primary, GitHub as mirror 2026-04-23 12:27:45 +05:00
grafana/dashboards feat(s26): flaky-test detection + observability dashboards (8/8 ✓ 10/10 cert) 2026-06-08 14:44:19 +05:00
nginx feat(public): Phase 6 — публичный маркетинговый сайт food-market.public на Astro 2026-04-26 19:11:34 +05:00
prometheus feat(s26): flaky-test detection + observability dashboards (8/8 ✓ 10/10 cert) 2026-06-08 14:44:19 +05:00
telegram-bridge revert(domains): публичный сайт → test.food-market.kz, apex 404 до релиза 2026-05-01 18:06:31 +05:00
.env.example docs(deploy): .env.example + secrets.md, проброс OpenIddict env в compose (P0-8) 2026-05-27 02:51:13 +05:00
anonymize-prod.sh feat(s22): data tooling — export/import + schema docs + anon dump (7 пунктов) 2026-06-07 23:00:54 +05:00
backup.sh ci/deploy: GitHub Actions + Docker images + DB backup + 24x7 plan 2026-04-22 11:26:01 +05:00
check-prod-readiness.sh feat(s21): stage→prod migration toolchain (7 скриптов + workflow) 2026-06-07 22:31:10 +05:00
db-schema-diff.sh feat(s21): stage→prod migration toolchain (7 скриптов + workflow) 2026-06-07 22:31:10 +05:00
docker-compose.yml feat(s13): security headers + rate-limits + sensitive-ops audit + session revoke + Grafana 2026-06-07 12:30:10 +05:00
docker-registry.service feat(ops): Telegram <-> tmux bridge + local docker-registry unit 2026-04-23 10:53:45 +05:00
Dockerfile.api feat(s17): onboarding wizard + help kb + feedback + diagnostic + whats-new 2026-06-07 17:04:26 +05:00
Dockerfile.web fix(docker): обновить node:20-alpine → 22-alpine (pnpm 11 требует Node ≥22) 2026-05-18 12:56:12 +05:00
food-market-backup.service feat(deploy): авто-бэкап БД+uploads — systemd timer/service + скрипт (P0-6) 2026-05-27 02:49:08 +05:00
food-market-backup.sh feat(deploy): авто-бэкап БД+uploads — systemd timer/service + скрипт (P0-6) 2026-05-27 02:49:08 +05:00
food-market-backup.timer feat(deploy): авто-бэкап БД+uploads — systemd timer/service + скрипт (P0-6) 2026-05-27 02:49:08 +05:00
food-market-mirror-base-images.service deploy: mirror all base images into local registry — builds no longer need internet 2026-04-23 17:42:48 +05:00
food-market-mirror-base-images.timer deploy: mirror all base images into local registry — builds no longer need internet 2026-04-23 17:42:48 +05:00
generate-release-notes.sh feat(s21): stage→prod migration toolchain (7 скриптов + workflow) 2026-06-07 22:31:10 +05:00
mirror-base-images.sh deploy: mirror all base images into local registry — builds no longer need internet 2026-04-23 17:42:48 +05:00
nginx.conf fix(security): add HSTS header on stage + integration test 2026-06-09 03:35:38 +05:00
post-deploy-smoke.sh feat(s21): stage→prod migration toolchain (7 скриптов + workflow) 2026-06-07 22:31:10 +05:00
prod-deploy.sh feat(s21): stage→prod migration toolchain (7 скриптов + workflow) 2026-06-07 22:31:10 +05:00
prod-rollback.sh feat(s21): stage→prod migration toolchain (7 скриптов + workflow) 2026-06-07 22:31:10 +05:00
recovery-restore-orphan-owners.sql feat(employees): главный администратор — терминология + защита роли/активности 2026-04-27 19:12:33 +05:00
swagger-diff.sh docs(s24): docs cross-check + auto-gen + onboarding + test gap-fill (8/8 ✓) 2026-06-08 02:15:56 +05:00