From ed75f1bd1064f0dddffc3d55b860ae861216cd65 Mon Sep 17 00:00:00 2001 From: salvacybersec Date: Tue, 11 Nov 2025 06:05:12 +0300 Subject: [PATCH] Fix: Add trust proxy for reverse proxy and fix asset paths for HTTPS --- backend/src/app.js | 6 +++++- frontend/vite.config.js | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/backend/src/app.js b/backend/src/app.js index 1c60495..e9d9394 100644 --- a/backend/src/app.js +++ b/backend/src/app.js @@ -12,6 +12,10 @@ const { apiLimiter } = require('./middlewares/rateLimiter'); const app = express(); const PORT = process.env.PORT || 3000; +// Trust proxy (for Nginx Proxy Manager / reverse proxy) +// This allows Express to correctly handle X-Forwarded-* headers +app.set('trust proxy', true); + // Security middleware with relaxed CSP for SPA app.use( helmet({ @@ -32,7 +36,7 @@ app.use( connectSrc: ["'self'", "https:", "http:", "ws:", "wss:"], // Allow API calls frameSrc: ["'none'"], objectSrc: ["'none'"], - upgradeInsecureRequests: [], // Upgrade HTTP to HTTPS if needed + // upgradeInsecureRequests removed - causes issues with reverse proxy }, }, crossOriginEmbedderPolicy: false, // Disable for better compatibility diff --git a/frontend/vite.config.js b/frontend/vite.config.js index 8b0f57b..5ed7bf8 100644 --- a/frontend/vite.config.js +++ b/frontend/vite.config.js @@ -4,4 +4,18 @@ import react from '@vitejs/plugin-react' // https://vite.dev/config/ export default defineConfig({ plugins: [react()], + // Use relative paths for assets (works with both HTTP and HTTPS) + base: '/', + build: { + // Ensure assets use relative paths + assetsDir: 'assets', + rollupOptions: { + output: { + // Use relative paths for asset imports + assetFileNames: 'assets/[name]-[hash][extname]', + chunkFileNames: 'assets/[name]-[hash].js', + entryFileNames: 'assets/[name]-[hash].js', + }, + }, + }, })