marcoallegretti/likwid
1
0
Fork 0
mirror of https://codeberg.org/likwid/likwid.git synced 2026-02-09 21:13:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

dev: harden dev-start and add security headers

Browse source
This commit is contained in:
Marco Allegretti 2026-02-01 14:26:56 +01:00
parent e42bdfb4aa
commit 4443e84eb7
2 changed files with 47 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
backend/src/main.rs
View file

@ -9,7 +9,9 @@ mod voting;
use std::net::SocketAddr; use std::net::SocketAddr;
use std::sync::Arc; use std::sync::Arc;
use axum::Extension; use axum::{middleware, Extension};
use axum::http::{HeaderName, HeaderValue};
use axum::response::Response;
use chrono::{Datelike, Timelike, Utc, Weekday}; use chrono::{Datelike, Timelike, Utc, Weekday};
use serde_json::json; use serde_json::json;
use thiserror::Error; use thiserror::Error;
@ -205,7 +207,8 @@ async fn run() -> Result<(), StartupError> {
.layer(Extension(plugins)) .layer(Extension(plugins))
.layer(Extension(config.clone())) .layer(Extension(config.clone()))
.layer(cors) .layer(cors)
.layer(TraceLayer::new_for_http()); .layer(TraceLayer::new_for_http())
.layer(middleware::map_response(add_security_headers));
let host: std::net::IpAddr = config.server_host.parse() let host: std::net::IpAddr = config.server_host.parse()
.unwrap_or_else(|_| std::net::IpAddr::V4(std::net::Ipv4Addr::new(127, 0, 0, 1))); .unwrap_or_else(|_| std::net::IpAddr::V4(std::net::Ipv4Addr::new(127, 0, 0, 1)));
@ -219,3 +222,30 @@ async fn run() -> Result<(), StartupError> {
Ok(()) Ok(())
} }
async fn add_security_headers(mut res: Response) -> Response {
let headers = res.headers_mut();
if !headers.contains_key("x-content-type-options") {
headers.insert(
HeaderName::from_static("x-content-type-options"),
HeaderValue::from_static("nosniff"),
);
}
if !headers.contains_key("x-frame-options") {
headers.insert(
HeaderName::from_static("x-frame-options"),
HeaderValue::from_static("DENY"),
);
}
if !headers.contains_key("referrer-policy") {
headers.insert(
HeaderName::from_static("referrer-policy"),
HeaderValue::from_static("no-referrer"),
);
}
res
}

20
scripts/dev-start.ps1
View file

@ -53,11 +53,21 @@ try {
Write-Host "Starting PostgreSQL..." Write-Host "Starting PostgreSQL..."
$composeFile = Join-Path $root 'compose/dev.yml' $composeFile = Join-Path $root 'compose/dev.yml'
podman-compose -f $composeFile up -d 2>$null $composeExitCode = 0
$composeExitCode = $LASTEXITCODE try {
podman-compose -f $composeFile up -d 2>$null
$composeExitCode = $LASTEXITCODE
} catch {
$composeExitCode = $LASTEXITCODE
}
if ($composeExitCode -ne 0) { if ($composeExitCode -ne 0) {
podman container exists likwid-postgres 2>$null $containerExistsExitCode = 0
$containerExistsExitCode = $LASTEXITCODE try {
podman container exists likwid-postgres 2>$null
$containerExistsExitCode = $LASTEXITCODE
} catch {
$containerExistsExitCode = $LASTEXITCODE
}
if ($containerExistsExitCode -ne 0) { if ($containerExistsExitCode -ne 0) {
throw "Failed to start PostgreSQL via podman-compose (exit code: $composeExitCode)." throw "Failed to start PostgreSQL via podman-compose (exit code: $composeExitCode)."
} }
@ -75,7 +85,7 @@ for ($i = 0; $i -lt $maxWait; $i++) {
Write-Host "Running database migrations..." Write-Host "Running database migrations..."
Push-Location (Join-Path $root 'backend') Push-Location (Join-Path $root 'backend')
try { try {
sqlx migrate run sqlx migrate run --ignore-missing
if ($LASTEXITCODE -ne 0) { if ($LASTEXITCODE -ne 0) {
throw "Failed to run database migrations (sqlx migrate run)." throw "Failed to run database migrations (sqlx migrate run)."
} }