openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: CSP inline-script hash + SESSION_SECURE=false für HTTP-Betrieb

Browse Source 
- CSP: SHA-256-Hash für Theme-Detection Inline-Script hinzugefügt
- docker-compose: SESSION_SECURE=false, damit HSTS und
  upgrade-insecure-requests bei direktem HTTP-Zugriff deaktiviert sind

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ulsklyc
2026-03-26 13:25:32 +01:00
parent 862ba8d9d7
commit 8f3f5cce01
2 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docker-compose.yml
+2
View File
@@ -12,6 +12,8 @@ services:
environment: environment:
- NODE_ENV=production - NODE_ENV=production
- DB_PATH=/data/oikos.db - DB_PATH=/data/oikos.db
# Auf false setzen wenn kein HTTPS/Reverse-Proxy (direkter HTTP-Zugriff)
- SESSION_SECURE=false
healthcheck: healthcheck:
test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/health', r => process.exit(r.statusCode === 200 ? 0 : 1))"] test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/health', r => process.exit(r.statusCode === 200 ? 0 : 1))"]
interval: 30s interval: 30s
server/index.js
+2
View File
@@ -37,6 +37,8 @@ app.use(helmet({
defaultSrc: ["'self'"], defaultSrc: ["'self'"],
scriptSrc: [ scriptSrc: [
"'self'", "'self'",
// Inline-Script: Theme-Detection (Flash-Prevention)
"'sha256-vqqBNo1oitnzIntwkG83UaYqkUAnV/oZ/RkvcA41Y6A='",
// Alpine.js CDN (optional, falls verwendet) // Alpine.js CDN (optional, falls verwendet)
'https://cdn.jsdelivr.net', 'https://cdn.jsdelivr.net',
], ],