Problem: Hardcoded localhost URL in production builds Solution:
- Created environment validation system (
/frontend/src/lib/env.ts) - Required
VITE_API_URLin production mode - Added URL format validation
- Updated blogService to use validated environment
Files Changed:
frontend/src/lib/env.ts(new)frontend/src/services/blogService.ts
Problem: Console.log statements exposing information in production Solution:
- Created proper logging utility (
/frontend/src/lib/logger.ts) - Logs only show in development mode
- Structured logging with timestamps and levels
- Replaced all console.log with proper logger calls
Files Changed:
frontend/src/lib/logger.ts(new)frontend/src/services/blogService.ts
Problem: Using non-null assertion operator without validation Solution:
- Added proper environment variable validation in backend
- Clear error messages for missing required variables
- Validation happens at startup, not at runtime
Files Changed:
backend/src/services/notionService.ts
Problem: Conflicting 'tailwind' package alongside 'tailwindcss' Solution:
- Removed incorrect 'tailwind' package
- Added proper security dependencies (dompurify, @types/dompurify)
Files Changed:
frontend/package.json
Problem: Using dangerouslySetInnerHTML with unsanitized content from external API Solution:
- Added DOMPurify for HTML sanitization
- Created comprehensive sanitization utility (
/frontend/src/lib/sanitize.ts) - Configured to allow only safe HTML tags and attributes
- Added security hooks for external links and images
- Updated BlogPost component to use sanitized content
Files Changed:
frontend/src/lib/sanitize.ts(new)frontend/src/pages/BlogPost.tsxfrontend/package.json
Problem: Malformed docker-compose.yml with multiple YAML documents Solution:
- Fixed production docker-compose.yml structure
- Created separate docker-compose.dev.yml for development
- Improved health check endpoints
- Added proper security configurations
Files Changed:
docker-compose.ymldocker-compose.dev.yml(new)
- β XSS Prevention: HTML sanitization with DOMPurify
- β Environment Validation: Required API URLs in production
- β Information Disclosure Prevention: No console logs in production
- β Secure External Links: Automatic noopener noreferrer attributes
- β Image Security: Data URL and javascript URL blocking
- β Environment Validation: Required variables checked at startup
- β Proper Error Handling: Clear error messages without sensitive data
- β Health Endpoints: Simple endpoints for monitoring
- β Non-root Users: Both containers run as non-root users
- β Security Headers: Nginx configured with security headers
- β Resource Isolation: Proper Docker networking and volumes
# Backend
NOTION_TOKEN=your_notion_token
NOTION_DATABASE_ID=your_database_id
NODE_ENV=production
# Frontend
VITE_API_URL=https://your-api-domain.com/api- X-Frame-Options: SAMEORIGIN
- X-XSS-Protection: 1; mode=block
- X-Content-Type-Options: nosniff
- Referrer-Policy: no-referrer-when-downgrade
- Content-Security-Policy: Basic CSP
- HTML content sanitized against XSS
- External links secured
- Images validated and lazy-loaded
- Data URLs blocked for security
- Set all required environment variables
- Verify VITE_API_URL points to correct backend
- Test sanitization with various HTML content
- Verify no console logs in production build
- Check that health endpoints respond correctly
- Verify CSP headers are working
- Test external link security attributes
- Confirm environment validation works
- Check Docker container user permissions
- Monitor logs for any security warnings
# Test environment validation
npm run build # Should fail if VITE_API_URL missing in production
# Test HTML sanitization
# Try injecting <script> tags in blog content - should be removed
# Test logging
# Check browser console in production - should be clean
# Test Docker security
docker run --user $(id -u):$(id -g) your-image # Should work with non-root user- Use tools like
npm auditfor dependency vulnerabilities - Run CSP analyzer on deployed frontend
- Test with OWASP ZAP or similar security scanners
- Content Security Policy: Implement stricter CSP headers
- Rate Limiting: Add rate limiting to API endpoints
- Input Validation: Add validation to all API inputs
- HTTPS Enforcement: Ensure all traffic uses HTTPS
- Security Monitoring: Add security event logging
- Regular Updates: Keep dependencies updated
- Monitor for XSS attempts in logs
- Track failed environment validations
- Watch for unusual API access patterns
- Monitor Docker container resource usage
The application is now production-ready with comprehensive security measures! πβ¨