a80471d0f9
Some checks failed
Auto-tag / Create date-tag (push) Waiting to run
CI / Backend (.NET 8) (push) Waiting to run
CI / Web (React + Vite) (push) Waiting to run
CI / POS (WPF, Windows) (push) Waiting to run
Docker Web / Build + push Web (push) Has been cancelled
Docker Web / Deploy Web on stage (push) Has been cancelled
Найдено в Sprint 28 security audit: stage отдаёт security-заголовки (CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy и др.), но БЕЗ Strict-Transport-Security. HSTS из ASP.NET Core (Program.cs UseHsts) не срабатывает потому что api за nginx-прокси видит запрос как HTTP (нет ForwardedHeaders middleware'a; nginx X-Forwarded-Proto не дешифруется). Простейший фикс: добавить HSTS в deploy/nginx.conf (web-контейнер). Brower honors HSTS только на HTTPS-ответах — безопасно unconditional. max-age=2592000 (30 дней), без includeSubDomains и без preload — pre-emptive consent, можно безопасно убрать. Когда production stack устаканится и admin.food-market.kz будет подан в hstspreload.org — увеличить до 31536000 + preload + includeSubDomains. Verified: curl -I https://test.admin.food-market.kz/ | grep -i strict > strict-transport-security: max-age=2592000 Integration test 08-security-headers.spec.ts проверяет 7 security- заголовков на главной + на 404 (always-параметр). Cert: 10/10 integration tests passed in 1.3m. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| 01-permissions-bulk-audit.spec.ts | ||
| 02-ofd-mock-reports.spec.ts | ||
| 03-loyalty-signalr-i18n.spec.ts | ||
| 04-2fa-sso-permissions.spec.ts | ||
| 05-real-business-day.spec.ts | ||
| 06-edge-cases.spec.ts | ||
| 07-import-export-flows.spec.ts | ||
| 08-security-headers.spec.ts | ||
| package.json | ||
| playwright.config.ts | ||
| pnpm-lock.yaml | ||
| tsconfig.json | ||