steve
2939bfa608
CSRF: upgrade session cookie sameSite from 'lax' to 'strict'. Rate limiting: login endpoint now blocks an IP after 10 failed attempts in a 15-minute window; resets on success. In-memory, no new dependency. SESSION_SECRET: server exits at startup when NODE_ENV=production and SESSION_SECRET is unset. docker-compose.yml updated to pass it via env; .env.example added with generation instructions. Security headers: add X-Content-Type-Options, X-Frame-Options, and Referrer-Policy to all responses. Sensitive data: routing_number and account_number are now omitted from GET /api/account/:id responses for non-admin users. Image size: logo upload capped at 512 KB in the account PUT handler. Amount validation: checks (POST/PUT) and deposit items (POST/PUT) now reject non-finite and non-positive amounts. QBO import: uploaded file is rejected if its MIME type is not text or a known CSV variant.
20 lines
513 B
YAML
20 lines
513 B
YAML
services:
|
|
check-printing:
|
|
image: dogiakos/check-printing:latest
|
|
container_name: check-printing
|
|
restart: unless-stopped
|
|
ports:
|
|
- "3003:3000"
|
|
volumes:
|
|
# Persistent data: SQLite DB lives here
|
|
- check-printing-data:/app/data
|
|
environment:
|
|
- NODE_ENV=production
|
|
- PORT=3000
|
|
- DB_PATH=/app/data/check-printing.db
|
|
# Required in production — generate with: openssl rand -hex 32
|
|
- SESSION_SECRET=${SESSION_SECRET}
|
|
|
|
volumes:
|
|
check-printing-data:
|