feat(security): rate-limit /api/flows/start, CSRF double-submit cookie, CSP headers
- Rate-limit /api/flows/start to 10 req/min per user (in-memory, matches login pattern) - Add middleware.ts: validates x-csrf-token header against csrf_token cookie on all API POST requests; issues the cookie on GET if missing; sets CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy on all responses - Add lib/csrf.ts: client-side apiFetch() wrapper that injects the CSRF header - Update all client components (login, useFlowRun, docker, caddy, git, systemd) to use apiFetch() for POST requests - Cookie config in login route already correct (NODE_ENV check, httpOnly, sameSite=strict) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scrum4Me Agent
parent
1e31e3b584
commit
aa1fd41bec
11 changed files with 108 additions and 8 deletions
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
import { useState, useCallback, useRef } from 'react'
|
||||
import type { TerminalLine, TerminalStatus } from '@/components/StreamingTerminal'
|
||||
import { apiFetch } from '@/lib/csrf'
|
||||
|
||||
export interface FlowRunState {
|
||||
status: TerminalStatus
|
||||
|
|
@ -26,7 +27,7 @@ export function useFlowRun(onComplete?: (flowRunId: string, exitCode: number | n
|
|||
async (url: string, body: Record<string, unknown>, signal: AbortSignal) => {
|
||||
let response: Response
|
||||
try {
|
||||
response = await fetch(url, {
|
||||
response = await apiFetch(url, {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(body),
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue