server/server.js — added helmet with CSP configured to allow Google Fonts

Dockerfile — creates a non-root app user and runs the process under it server/routes.js — tailscale_ip validated against IPv4 regex (empty string still allowed) index.html — sql.js CDN script tag already removed earlier in this session
2026-03-28 09:20:24 -04:00
parent 6e40413385
commit 79adc365d8
7 changed files with 36 additions and 7 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,14 +1,15 @@
 {
  "name": "catalyst",
-  "version": "1.0.3",
+  "version": "1.1.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "catalyst",
-      "version": "1.0.3",
+      "version": "1.1.0",
      "dependencies": {
-        "express": "^4.18.0"
+        "express": "^4.18.0",
+        "helmet": "^8.1.0"
      },
      "devDependencies": {
        "jsdom": "^25.0.0",
@@ -1958,6 +1959,15 @@
        "node": ">= 0.4"
      }
    },
+    "node_modules/helmet": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz",
+      "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
    "node_modules/html-encoding-sniffer": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-4.0.0.tgz",