From 7582813f20a872889041d4d8dd833110b118adf6 Mon Sep 17 00:00:00 2001 From: salvacybersec Date: Tue, 11 Nov 2025 14:05:20 +0300 Subject: [PATCH] mesela yani --- Dockerfile | 2 +- backend/src/app.js | 40 ++++++++++++++++++++++++++++++++++++++-- docker-entrypoint.sh | 8 ++++++++ 3 files changed, 47 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index a0d35d0..355dbc1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ RUN npm install COPY frontend/ ./ # Build frontend (output will be in dist/) -RUN npm run build +RUN npm run build && test -f dist/index.html # Stage 2: Backend + Runtime FROM node:20-alpine diff --git a/backend/src/app.js b/backend/src/app.js index 304708d..e247c68 100644 --- a/backend/src/app.js +++ b/backend/src/app.js @@ -15,6 +15,26 @@ const PORT = process.env.PORT || 3000; // Security middleware - Helmet'i tamamen kaldır (CORS ve mixed content sorunları için) // app.use(helmet()); // Geçici olarak devre dışı +// Basic CSP for SPA and assets to avoid white page due to blocked module scripts +// Allow self assets, inline/eval for Vite-built bundles, blobs/data, and API/websocket connections +app.use((req, res, next) => { + // Only set CSP for HTML responses later, but keeping a permissive default helps some browsers on preload + res.setHeader( + 'Content-Security-Policy', + [ + "default-src 'self' data: blob:;", + "script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:;", + "style-src 'self' 'unsafe-inline';", + "img-src 'self' data: blob:;", + "font-src 'self' data:;", + "connect-src 'self' http: https: ws: wss:;", + "frame-ancestors 'self';", + 'base-uri \'self\';', + ].join(' ') + ); + next(); +}); + // CORS - Her yerden erişime izin ver (tüm route'larda) app.use((req, res, next) => { res.header('Access-Control-Allow-Origin', '*'); @@ -51,12 +71,21 @@ app.use(express.static(path.join(__dirname, 'public'), { res.set('Access-Control-Allow-Methods', 'GET, OPTIONS'); res.set('Access-Control-Allow-Headers', 'Content-Type, Accept, Origin'); res.set('Access-Control-Allow-Credentials', 'true'); + // Ensure CSP also present on static (mainly harmless for non-HTML) + res.set('Content-Security-Policy', + "default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' http: https: ws: wss:; frame-ancestors 'self'; base-uri 'self';" + ); // Content-Type header'larını doğru ayarla if (filePath.endsWith('.js')) { + // Serve ES modules correctly res.set('Content-Type', 'application/javascript; charset=utf-8'); } else if (filePath.endsWith('.css')) { res.set('Content-Type', 'text/css; charset=utf-8'); + } else if (filePath.endsWith('.mjs')) { + res.set('Content-Type', 'application/javascript; charset=utf-8'); + } else if (filePath.endsWith('.svg')) { + res.set('Content-Type', 'image/svg+xml'); } } })); @@ -113,13 +142,20 @@ app.get('*', (req, res, next) => { res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Methods', 'GET, OPTIONS'); res.header('Access-Control-Allow-Headers', 'Content-Type'); + // Explicit CSP for HTML documents + res.setHeader( + 'Content-Security-Policy', + "default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' http: https: ws: wss:; frame-ancestors 'self'; base-uri 'self';" + ); // Serve frontend index.html for all other routes const frontendPath = path.join(__dirname, 'public', 'dist', 'index.html'); res.sendFile(frontendPath, (err) => { if (err) { - // If frontend build doesn't exist, return 404 - next(); + // If frontend build doesn't exist, inform clearly + res.status(503).send( + 'Frontend build not found. Please build the frontend (npm run build) and ensure dist is copied to backend/src/public/dist.' + ); } }); }); diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 9ff75ca..c939309 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -42,6 +42,14 @@ else fi fi +# Ensure frontend build exists before starting server +FRONTEND_INDEX="src/public/dist/index.html" +if [ ! -f "$FRONTEND_INDEX" ]; then + echo "❌ Frontend build not found at $FRONTEND_INDEX" + echo "ℹ️ Please run 'npm run build' in the frontend (or rebuild the Docker image) so the dist assets are available." + exit 1 +fi + # Start the application echo "✨ Starting server..." exec "$@"