Conversation
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Honoの`secureHeaders`ミドルウェアを全体に適用し、 XSS対策やクリックジャッキング対策などのセキュリティを強化しました。 Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
デフォルトの`no-referrer`による将来的なCSRFチェックへの影響を避けるため、 `referrerPolicy`に`strict-origin-when-cross-origin`を明示的に指定しました。 Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
…367244681164' into sentinel/security-headers-653258367244681164
フロントエンドがエラーを適切にパースできるよう、
CSRFチェック失敗時のレスポンスをtextからJSON (`{ error: "Forbidden" }`)に変更しました。
また、関連するテストを更新しJSONレスポンスを検証するようにしました。
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
…headers-653258367244681164
Bumps the npm_and_yarn group with 1 update in the /apps/web directory: [axios](https://github.com/axios/axios). Updates `axios` from 1.15.0 to 1.16.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.15.0...v1.16.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.16.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
…258367244681164 🛡️ Sentinel: [HIGH] セキュリティヘッダー(secureHeaders)の追加
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
…-improvement-17287036571437809720
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Comment on lines
+24
to
+33
| app.use( | ||
| "*", | ||
| secureHeaders({ | ||
| referrerPolicy: "strict-origin-when-cross-origin", | ||
| contentSecurityPolicy: { | ||
| defaultSrc: ["'none'"], | ||
| frameAncestors: ["'none'"], | ||
| }, | ||
| }), | ||
| ); |
Contributor
There was a problem hiding this comment.
frameAncestors: ["'none'"] はフレーム埋め込みを完全拒否することを意図していますが、hono/secure-headers のデフォルト値である X-Frame-Options: SAMEORIGIN はそのまま送信されるため、設定が矛盾しています。CSP frame-ancestors をサポートしない古いブラウザでは、同一オリジンからの iframe 埋め込みが許可されてしまいます。xFrameOptions: "DENY" を明示的に指定することで一貫性が保たれます。
Suggested change
| app.use( | |
| "*", | |
| secureHeaders({ | |
| referrerPolicy: "strict-origin-when-cross-origin", | |
| contentSecurityPolicy: { | |
| defaultSrc: ["'none'"], | |
| frameAncestors: ["'none'"], | |
| }, | |
| }), | |
| ); | |
| app.use( | |
| "*", | |
| secureHeaders({ | |
| xFrameOptions: "DENY", | |
| referrerPolicy: "strict-origin-when-cross-origin", | |
| contentSecurityPolicy: { | |
| defaultSrc: ["'none'"], | |
| frameAncestors: ["'none'"], | |
| }, | |
| }), | |
| ); |
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/api/src/index.ts
Line: 24-33
Comment:
`frameAncestors: ["'none'"]` はフレーム埋め込みを完全拒否することを意図していますが、`hono/secure-headers` のデフォルト値である `X-Frame-Options: SAMEORIGIN` はそのまま送信されるため、設定が矛盾しています。CSP `frame-ancestors` をサポートしない古いブラウザでは、同一オリジンからの iframe 埋め込みが許可されてしまいます。`xFrameOptions: "DENY"` を明示的に指定することで一貫性が保たれます。
```suggestion
app.use(
"*",
secureHeaders({
xFrameOptions: "DENY",
referrerPolicy: "strict-origin-when-cross-origin",
contentSecurityPolicy: {
defaultSrc: ["'none'"],
frameAncestors: ["'none'"],
},
}),
);
```
How can I resolve this? If you propose a fix, please make it concise.chore: sync main into staging
…-improvement-17287036571437809720
…t-17287036571437809720 🎨 Palette: トースト通知のスクリーンリーダー読み上げ対応 (アクセシビリティ改善)
…_yarn/apps/web/npm_and_yarn-ac20752053
…web/npm_and_yarn-ac20752053 chore(deps): bump axios from 1.15.0 to 1.16.0 in /apps/web in the npm_and_yarn group across 1 directory
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Promotes
stagingintomain.stagingmainnpm run pr:promoteIncluded PRs
Compare