openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: CSP inline-script hash + SESSION_SECURE=false für HTTP-Betrieb

Browse Source 
- CSP: SHA-256-Hash für Theme-Detection Inline-Script hinzugefügt
- docker-compose: SESSION_SECURE=false, damit HSTS und
  upgrade-insecure-requests bei direktem HTTP-Zugriff deaktiviert sind

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ulsklyc
2026-03-26 13:25:32 +01:00
parent 862ba8d9d7
commit 8f3f5cce01
2 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docker-compose.yml
+2
View File
@@ -12,6 +12,8 @@ services:
environment:
- NODE_ENV=production
- DB_PATH=/data/oikos.db
# Auf false setzen wenn kein HTTPS/Reverse-Proxy (direkter HTTP-Zugriff)
- SESSION_SECURE=false
healthcheck:
test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/health', r => process.exit(r.statusCode === 200 ? 0 : 1))"]
interval: 30s
server/index.js
+2
View File
@@ -37,6 +37,8 @@ app.use(helmet({
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
// Inline-Script: Theme-Detection (Flash-Prevention)
"'sha256-vqqBNo1oitnzIntwkG83UaYqkUAnV/oZ/RkvcA41Y6A='",
// Alpine.js CDN (optional, falls verwendet)
'https://cdn.jsdelivr.net',
],