nessi/NexaPG
1
0
Fork 0
Code Issues 16 Pull Requests Actions Packages Projects Releases 14 Activity

[NX-203] Finalize production CORS and reverse-proxy security profile #13

New Issue
Closed
opened 2026-02-13 13:17:32 +00:00 by nessi · 1 comment
nessi commented 2026-02-13 13:17:32 +00:00
Owner
Copy Link

Goal

Provide a secure and repeatable proxy deployment profile.

Scope

  • Define recommended CORS setup per environment.
  • Document reverse proxy headers and API path forwarding.
  • Validate no mixed-content in HTTPS deployments.

Acceptance Criteria

  • Production profile documented and tested.
  • CORS behavior is predictable and secure.
## Goal Provide a secure and repeatable proxy deployment profile. ## Scope - Define recommended CORS setup per environment. - Document reverse proxy headers and API path forwarding. - Validate no mixed-content in HTTPS deployments. ## Acceptance Criteria - Production profile documented and tested. - CORS behavior is predictable and secure.
nessi added the P0 label 2026-02-13 13:17:39 +00:00
nessi added this to the v1.0 - Stability, Reliability & Security (P0) milestone 2026-02-13 13:17:43 +00:00
nessi commented 2026-02-15 11:23:55 +00:00
Author
Owner
Copy Link

NX-203 Completed

Implemented a secure and repeatable proxy deployment profile with documented CORS policy and HTTPS guardrails.

What was delivered

  • Added production proxy profile assets:
    • ops/profiles/prod/.env.production.example
    • ops/profiles/prod/nginx/nexapg.conf
  • Added deployment documentation:
    • docs/deployment/proxy-production-profile.md
  • Added CI guardrail validation:
    • .github/workflows/proxy-profile-validation.yml
    • ops/scripts/validate_proxy_profile.sh
  • Updated environment templates for frontend runtime port consistency (8080):
    • .env.example
    • ops/.env.example
  • Updated README to include Production Proxy Profile section and references.

Coverage vs. Acceptance Criteria

  • Production profile documented and tested
    Met:

    • documented profile files and deployment rules
    • CI validation workflow enforces profile guardrails on push/PR
    • local validation script passes (PASS)

  • CORS behavior is predictable and secure
    Met:

    • explicit per-environment CORS recommendations (dev/staging/prod)
    • production profile enforces explicit HTTPS origin (no wildcard)

  • Validate no mixed-content in HTTPS deployments
    Met:

    • frontend API resolver includes HTTPS mixed-content protection
    • profile prescribes relative API base (/api/v1)
    • CI checks include mixed-content guard verification

Additional note

  • Frontend non-root runtime startup reliability was addressed by moving NGINX PID path to a writable location (/tmp/nginx/nginx.pid) while keeping non-root execution.
## NX-203 Completed Implemented a secure and repeatable proxy deployment profile with documented CORS policy and HTTPS guardrails. ### What was delivered - Added production proxy profile assets: - `ops/profiles/prod/.env.production.example` - `ops/profiles/prod/nginx/nexapg.conf` - Added deployment documentation: - `docs/deployment/proxy-production-profile.md` - Added CI guardrail validation: - `.github/workflows/proxy-profile-validation.yml` - `ops/scripts/validate_proxy_profile.sh` - Updated environment templates for frontend runtime port consistency (`8080`): - `.env.example` - `ops/.env.example` - Updated README to include Production Proxy Profile section and references. ### Coverage vs. Acceptance Criteria - **Production profile documented and tested** Met: - documented profile files and deployment rules - CI validation workflow enforces profile guardrails on push/PR - local validation script passes (`PASS`) - **CORS behavior is predictable and secure** Met: - explicit per-environment CORS recommendations (`dev/staging/prod`) - production profile enforces explicit HTTPS origin (no wildcard) - **Validate no mixed-content in HTTPS deployments** Met: - frontend API resolver includes HTTPS mixed-content protection - profile prescribes relative API base (`/api/v1`) - CI checks include mixed-content guard verification ### Additional note - Frontend non-root runtime startup reliability was addressed by moving NGINX PID path to a writable location (`/tmp/nginx/nginx.pid`) while keeping non-root execution.
nessi closed this issue 2026-02-15 11:23:56 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P0
High priority
 P1
Medium priority
 P2
Low priority
No Label P0
Milestone
No items
No Milestone v1.0 - Stability, Reliability & Security (P0)
Projects
Clear projects
No project
Assignees
Clear assignees
nessi
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: nessi/NexaPG#13
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?