nns/food-market
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
food-market/tests
History
nns a80471d0f9
Some checks failed
Auto-tag / Create date-tag (push) Waiting to run
Details
CI / Backend (.NET 8) (push) Waiting to run
Details
CI / Web (React + Vite) (push) Waiting to run
Details
CI / POS (WPF, Windows) (push) Waiting to run
Details
Docker Web / Build + push Web (push) Has been cancelled
Details
Docker Web / Deploy Web on stage (push) Has been cancelled
Details
fix(security): add HSTS header on stage + integration test 
Найдено в Sprint 28 security audit: stage отдаёт security-заголовки
(CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy и др.), но
БЕЗ Strict-Transport-Security. HSTS из ASP.NET Core (Program.cs UseHsts)
не срабатывает потому что api за nginx-прокси видит запрос как HTTP
(нет ForwardedHeaders middleware'a; nginx X-Forwarded-Proto не дешифруется).

Простейший фикс: добавить HSTS в deploy/nginx.conf (web-контейнер).
Brower honors HSTS только на HTTPS-ответах — безопасно unconditional.

max-age=2592000 (30 дней), без includeSubDomains и без preload —
pre-emptive consent, можно безопасно убрать. Когда production stack
устаканится и admin.food-market.kz будет подан в hstspreload.org —
увеличить до 31536000 + preload + includeSubDomains.

Verified:
  curl -I https://test.admin.food-market.kz/ | grep -i strict
  > strict-transport-security: max-age=2592000

Integration test 08-security-headers.spec.ts проверяет 7 security-
заголовков на главной + на 404 (always-параметр).

Cert: 10/10 integration tests passed in 1.3m.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-09 03:35:38 +05:00
..
e2e feat(s25): autonomous continuous quality monitoring (8/8) 2026-06-08 12:50:35 +05:00
food-market.IntegrationTests docs(s28): api-reference 195→240 + observability + integration #7 + CI 2026-06-09 03:26:39 +05:00
food-market.UnitTests test(s15): axe a11y + focus traps + unit coverage 80% + property tests + backup drill 2026-06-07 14:53:38 +05:00
integration fix(security): add HSTS header on stage + integration test 2026-06-09 03:35:38 +05:00
load feat(s27): cross-feature integration + soak + crash recovery (8/8 ✓) 2026-06-09 03:09:17 +05:00
regression feat(s26): flaky-test detection + observability dashboards (8/8 ✓ 10/10 cert) 2026-06-08 14:44:19 +05:00
stage-smoke.sh docs(s12): ARCHITECTURE/MULTI-TENANCY/RUNBOOK/DEVELOPER-GUIDE + k6 baseline + stage-verify CI 2026-06-07 03:19:25 +05:00