diff --git a/Gemfile b/Gemfile
index 9e68a09..cb1fd39 100644
--- a/Gemfile
+++ b/Gemfile
@@ -41,8 +41,6 @@ gem "image_processing", "~> 1.12"
# Security update
gem "nokogiri", ">= 1.12.5"
-# Use Rack CORS for handling Cross-Origin Resource Sharing (CORS), making cross-origin AJAX possible
-gem "rack-cors"
gem "devise_token_auth", "~> 1.2", ">= 1.2.2"
gem "jsonapi-serializer"
gem "pundit"
diff --git a/Gemfile.lock b/Gemfile.lock
index bfd29ef..4e2f669 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -310,9 +310,6 @@ GEM
rack (3.2.5)
rack-attack (6.8.0)
rack (>= 1.0, < 4)
- rack-cors (3.0.0)
- logger
- rack (>= 3.0.14)
rack-session (2.1.1)
base64 (>= 0.1.0)
rack (>= 3.0.0)
@@ -513,7 +510,6 @@ DEPENDENCIES
puma (~> 7.0)
pundit
rack-attack
- rack-cors
rails (~> 8.1)
resend
rubocop-rails-omakase
diff --git a/app/views/layouts/display.html.erb b/app/views/layouts/display.html.erb
index 6ad06ca..1e7adc7 100644
--- a/app/views/layouts/display.html.erb
+++ b/app/views/layouts/display.html.erb
@@ -18,7 +18,7 @@
<%# Be sure to add your own custom favicons %>
<%= render "shared/favicons" %>
-
+
<%= yield :head %>
diff --git a/app/views/layouts/errors.html.erb b/app/views/layouts/errors.html.erb
index 68b667b..8bf2fca 100644
--- a/app/views/layouts/errors.html.erb
+++ b/app/views/layouts/errors.html.erb
@@ -18,7 +18,7 @@
<%# Be sure to add your own custom favicons %>
<%= render "shared/favicons" %>
-
+
<%= yield :head %>
diff --git a/app/views/layouts/minimal.html.erb b/app/views/layouts/minimal.html.erb
index 579b9f1..7489e12 100644
--- a/app/views/layouts/minimal.html.erb
+++ b/app/views/layouts/minimal.html.erb
@@ -18,7 +18,7 @@
<%# Be sure to add your own custom favicons %>
<%= render "shared/favicons" %>
-
+
<%= yield :head %>
diff --git a/config/environments/production.rb b/config/environments/production.rb
index ff6d1af..71c28fc 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -79,10 +79,13 @@
config.active_record.dump_schema_after_migration = false
# Enable DNS rebinding protection and other `Host` header attacks.
- # config.hosts = [
- # "example.com", # Allow requests from example.com
- # /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
- # ]
+ # Render automatically sets RENDER_EXTERNAL_HOSTNAME to the service's hostname
+ # (e.g. nativeapptemplateapi.onrender.com). No manual configuration needed.
+ # APP_HOST is for the custom domain (set in Render env vars).
+ config.hosts = [
+ ENV["RENDER_EXTERNAL_HOSTNAME"],
+ ENV["APP_HOST"]
+ ].compact
# Skip DNS rebinding protection for the default health check endpoint.
- # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+ config.host_authorization = {exclude: ->(request) { request.path == "/up" }}
end
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index d51d713..941844f 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -4,26 +4,24 @@
# See the Securing Rails Applications Guide for more information:
# https://guides.rubyonrails.org/security.html#content-security-policy-header
-# Rails.application.configure do
-# config.content_security_policy do |policy|
-# policy.default_src :self, :https
-# policy.font_src :self, :https, :data
-# policy.img_src :self, :https, :data
-# policy.object_src :none
-# policy.script_src :self, :https
-# policy.style_src :self, :https
-# # Specify URI for violation reports
-# # policy.report_uri "/csp-violation-report-endpoint"
-# end
-#
-# # Generate session nonces for permitted importmap, inline scripts, and inline styles.
-# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-# config.content_security_policy_nonce_directives = %w(script-src style-src)
-#
-# # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`
-# # if the corresponding directives are specified in `content_security_policy_nonce_directives`.
-# # config.content_security_policy_nonce_auto = true
-#
-# # Report violations without enforcing the policy.
-# # config.content_security_policy_report_only = true
-# end
+Rails.application.configure do
+ config.content_security_policy do |policy|
+ policy.default_src :self
+ policy.font_src :self, "https://fonts.gstatic.com"
+ policy.img_src :self, :data
+ policy.object_src :none
+ policy.script_src :self
+ policy.style_src :self, :unsafe_inline, "https://fonts.googleapis.com"
+ policy.connect_src :self
+ policy.frame_src :self
+ policy.base_uri :self
+ policy.form_action :self
+ end
+
+ # Generate session nonces for permitted importmap and inline scripts.
+ config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+ config.content_security_policy_nonce_directives = %w[script-src]
+
+ # Report violations without enforcing the policy.
+ # config.content_security_policy_report_only = true
+end
diff --git a/config/initializers/devise_token_auth.rb b/config/initializers/devise_token_auth.rb
index 100332d..84ea903 100644
--- a/config/initializers/devise_token_auth.rb
+++ b/config/initializers/devise_token_auth.rb
@@ -9,7 +9,7 @@
# By default, users will need to re-authenticate after 2 weeks. This setting
# determines how long tokens will remain valid after they are issued.
- config.token_lifespan = 90.days
+ config.token_lifespan = 30.days
# Limiting the token_cost to just 4 in testing will increase the performance of
# your test suite dramatically. The possible cost value is within range from 4
@@ -18,7 +18,7 @@
# Sets the max number of concurrent devices per user, which is 10 by default.
# After this limit is reached, the oldest tokens will be removed.
- config.max_number_of_devices = 100
+ config.max_number_of_devices = 10
# Sometimes it's necessary to make several requests to the API at the same
# time. In this case, each request in the batch will need to share the same
diff --git a/config/initializers/permissions_policy.rb b/config/initializers/permissions_policy.rb
index 7db3b95..869dfd2 100644
--- a/config/initializers/permissions_policy.rb
+++ b/config/initializers/permissions_policy.rb
@@ -3,11 +3,17 @@
# Define an application-wide HTTP permissions policy. For further
# information see: https://developers.google.com/web/updates/2018/06/feature-policy
-# Rails.application.config.permissions_policy do |policy|
-# policy.camera :none
-# policy.gyroscope :none
-# policy.microphone :none
-# policy.usb :none
-# policy.fullscreen :self
-# policy.payment :self, "https://secure.example.com"
-# end
+Rails.application.config.permissions_policy do |policy|
+ policy.accelerometer :none
+ policy.ambient_light_sensor :none
+ policy.autoplay :none
+ policy.camera :none
+ policy.geolocation :none
+ policy.gyroscope :none
+ policy.magnetometer :none
+ policy.microphone :none
+ policy.midi :none
+ policy.payment :none
+ policy.usb :none
+ policy.fullscreen :self
+end