Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: close 4 more security compliance gaps (46/63 OK, 73%)

Browse Source 
Error-Page Headers (3.3.1.3.03 → OK):
- Cache-Control no-store on ALL routes (API, auth, catch-all)

Proactive Monitoring (3.2.1.04 → OK):
- /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure

Security Scanning (3.2.2.7 → improved):
- /api/cron/security-audit: package version check against minimum safe versions

Server Hardening (3.3.1.4 → OK):
- docs/nginx-hardening.conf: complete template (rate limits, SSL, headers)

Database Security (3.3.3 → OK):
- docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations

Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4)

Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
Hartmut Nörenberg
2026-03-27 15:43:44 +01:00
parent 187c28e01e
commit cd0c2fe3e2
6 changed files with 484 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/next.config.ts
+15
View File
@@ -37,6 +37,21 @@ const nextConfig: NextConfig = {
{ key: "Pragma", value: "no-cache" },
],
},
{
source: "/api/:path*",
headers: [
{ key: "Cache-Control", value: "no-store" },
{ key: "X-Content-Type-Options", value: "nosniff" },
],
},
{
// Catch-all for error pages and any remaining routes
source: "/:path*",
headers: [
{ key: "Cache-Control", value: "no-store, no-cache, must-revalidate" },
{ key: "Pragma", value: "no-cache" },
],
},
];
},
// Webpack config (used by `next build` and `next dev` without --turbo)
apps/web/src/app/api/cron/health-check/route.ts
+132
View File
@@ -0,0 +1,132 @@
import { NextResponse } from "next/server";
import { prisma } from "@capakraken/db";
import { createNotificationsForUsers } from "@capakraken/api";
import { createConnection } from "net";
export const dynamic = "force-dynamic";
export const runtime = "nodejs";
const REDIS_URL = process.env["REDIS_URL"] ?? "redis://localhost:6380";
async function checkPostgres(): Promise<{ status: "ok" | "error"; latencyMs: number }> {
const start = Date.now();
try {
await prisma.$queryRaw`SELECT 1`;
return { status: "ok", latencyMs: Date.now() - start };
} catch {
return { status: "error", latencyMs: Date.now() - start };
}
}
async function checkRedis(): Promise<{ status: "ok" | "error"; latencyMs: number }> {
const start = Date.now();
return new Promise((resolve) => {
try {
const url = new URL(REDIS_URL);
const host = url.hostname || "localhost";
const port = parseInt(url.port || "6379", 10);
const timeout = 3000;
const socket = createConnection({ host, port }, () => {
socket.write("*1\r\n$4\r\nPING\r\n");
});
socket.setTimeout(timeout);
socket.on("data", (data) => {
const response = data.toString();
socket.destroy();
resolve({
status: response.includes("PONG") ? "ok" : "error",
latencyMs: Date.now() - start,
});
});
socket.on("timeout", () => {
socket.destroy();
resolve({ status: "error", latencyMs: Date.now() - start });
});
socket.on("error", () => {
socket.destroy();
resolve({ status: "error", latencyMs: Date.now() - start });
});
} catch {
resolve({ status: "error", latencyMs: Date.now() - start });
}
});
}
/**
* GET /api/cron/health-check
*
* Self-health-check endpoint that verifies PostgreSQL and Redis connectivity.
* If any check fails, creates a CRITICAL notification for all ADMIN users.
*
* Protected by CRON_SECRET environment variable.
* When set, requests must include `Authorization: Bearer <secret>`.
*/
export async function GET(request: Request) {
const cronSecret = process.env["CRON_SECRET"];
if (cronSecret) {
const auth = request.headers.get("authorization");
if (auth !== `Bearer ${cronSecret}`) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
}
try {
const [postgres, redis] = await Promise.all([
checkPostgres(),
checkRedis(),
]);
const allHealthy = postgres.status === "ok" && redis.status === "ok";
// If any check fails, alert all ADMIN users
if (!allHealthy) {
const failedChecks: string[] = [];
if (postgres.status !== "ok") failedChecks.push("PostgreSQL");
if (redis.status !== "ok") failedChecks.push("Redis");
const adminUsers = await prisma.user.findMany({
where: { systemRole: "ADMIN" },
select: { id: true },
});
if (adminUsers.length > 0) {
// eslint-disable-next-line @typescript-eslint/no-explicit-any
await createNotificationsForUsers({
db: prisma as any,
userIds: adminUsers.map((u) => u.id),
type: "SYSTEM_ALERT",
title: "CRITICAL: Health Check Failed",
body: `The following services are unreachable: ${failedChecks.join(", ")}. Immediate attention required.`,
category: "system",
priority: "CRITICAL",
link: "/admin/settings",
});
}
}
return NextResponse.json(
{
ok: allHealthy,
checks: {
postgres: postgres.status,
postgresLatencyMs: postgres.latencyMs,
redis: redis.status,
redisLatencyMs: redis.latencyMs,
},
timestamp: new Date().toISOString(),
},
{ status: allHealthy ? 200 : 503 },
);
} catch (error) {
console.error("[cron/health-check] Error:", error);
return NextResponse.json(
{ ok: false, error: "Internal error" },
{ status: 500 },
);
}
}
apps/web/src/app/api/cron/security-audit/route.ts
+158
View File
@@ -0,0 +1,158 @@
import { NextResponse } from "next/server";
import { prisma } from "@capakraken/db";
import { createNotificationsForUsers } from "@capakraken/api";
import { readFileSync } from "fs";
import { join } from "path";
export const dynamic = "force-dynamic";
export const runtime = "nodejs";
/**
* Known CVEs / minimum safe versions for critical dependencies.
* Update this map when new advisories are published.
*/
const MINIMUM_SAFE_VERSIONS: Record<string, { minVersion: string; advisory?: string }> = {
next: { minVersion: "15.0.0", advisory: "Keep Next.js on latest 15.x" },
prisma: { minVersion: "6.0.0", advisory: "Prisma 6.x for latest security patches" },
"@sentry/nextjs": { minVersion: "8.0.0", advisory: "Sentry v8 for latest fixes" },
"ioredis": { minVersion: "5.4.0", advisory: "ioredis 5.4+ for connection security" },
"next-auth": { minVersion: "5.0.0", advisory: "Auth.js v5 for security hardening" },
};
interface Finding {
package: string;
currentVersion: string;
minimumVersion: string;
severity: "high" | "medium" | "low";
advisory: string;
}
/**
* Simple semver comparison: returns true if `current` >= `minimum`.
* Handles standard x.y.z versions and beta/rc suffixes.
*/
function isVersionSafe(current: string, minimum: string): boolean {
const normalize = (v: string) =>
v
.replace(/^[~^>=<]*/, "")
.split("-")[0]!
.split(".")
.map((n) => parseInt(n, 10) || 0);
const cur = normalize(current);
const min = normalize(minimum);
for (let i = 0; i < 3; i++) {
const c = cur[i] ?? 0;
const m = min[i] ?? 0;
if (c > m) return true;
if (c < m) return false;
}
return true; // equal
}
function scanPackageJson(): Finding[] {
const findings: Finding[] = [];
try {
// Read root package.json and web app package.json
const paths = [
join(process.cwd(), "package.json"),
join(process.cwd(), "../../package.json"), // monorepo root from apps/web
];
const allDeps: Record<string, string> = {};
for (const p of paths) {
try {
const content = JSON.parse(readFileSync(p, "utf-8"));
Object.assign(allDeps, content.dependencies ?? {}, content.devDependencies ?? {});
} catch {
// File not found — skip
}
}
for (const [pkg, rule] of Object.entries(MINIMUM_SAFE_VERSIONS)) {
const installed = allDeps[pkg];
if (!installed) continue;
if (!isVersionSafe(installed, rule.minVersion)) {
findings.push({
package: pkg,
currentVersion: installed,
minimumVersion: rule.minVersion,
severity: "high",
advisory: rule.advisory ?? "Update recommended",
});
}
}
} catch (error) {
console.error("[security-audit] Error scanning package.json:", error);
}
return findings;
}
/**
* GET /api/cron/security-audit
*
* Checks installed dependency versions against known minimum safe versions.
* Creates a CRITICAL notification for ADMIN users if high-severity issues found.
*
* Protected by CRON_SECRET environment variable.
* When set, requests must include `Authorization: Bearer <secret>`.
*/
export async function GET(request: Request) {
const cronSecret = process.env["CRON_SECRET"];
if (cronSecret) {
const auth = request.headers.get("authorization");
if (auth !== `Bearer ${cronSecret}`) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
}
try {
const findings = scanPackageJson();
const highSeverity = findings.filter((f) => f.severity === "high");
// Alert admins if high-severity findings exist
if (highSeverity.length > 0) {
const adminUsers = await prisma.user.findMany({
where: { systemRole: "ADMIN" },
select: { id: true },
});
if (adminUsers.length > 0) {
const details = highSeverity
.map((f) => `${f.package}@${f.currentVersion} (need >=${f.minimumVersion})`)
.join(", ");
// eslint-disable-next-line @typescript-eslint/no-explicit-any
await createNotificationsForUsers({
db: prisma as any,
userIds: adminUsers.map((u) => u.id),
type: "SYSTEM_ALERT",
title: `Security Audit: ${highSeverity.length} high-severity finding(s)`,
body: `Outdated packages detected: ${details}. Run \`pnpm update\` and review advisories.`,
category: "system",
priority: "CRITICAL",
link: "/admin/settings",
});
}
}
return NextResponse.json({
ok: highSeverity.length === 0,
totalFindings: findings.length,
highSeverity: highSeverity.length,
findings,
scannedAt: new Date().toISOString(),
});
} catch (error) {
console.error("[cron/security-audit] Error:", error);
return NextResponse.json(
{ ok: false, error: "Internal error" },
{ status: 500 },
);
}
}