From 1413b9c01b5589041e23aa886359d52c5afbfb7b Mon Sep 17 00:00:00 2001
From: Nyk <0xnykcd@googlemail.com>
Date: Tue, 17 Mar 2026 20:35:40 +0700
Subject: [PATCH] fix: secure production defaults

- Default DEBUG to False instead of True
- Generate random SECRET_KEY if not set (no hardcoded fallback)
- Configure CORS origins from env instead of wildcard
- Default host to 127.0.0.1 instead of 0.0.0.0
- Add security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection)
---
 .env.example            |  8 +++++++-
 backend/app/__init__.py |  5 ++++-
 backend/app/config.py   | 11 +++++++++--
 backend/run.py          |  2 +-
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/.env.example b/.env.example
index 78a3b72c..f0d67c32 100644
--- a/.env.example
+++ b/.env.example
@@ -13,4 +13,10 @@ ZEP_API_KEY=your_zep_api_key_here
 # 注意如果不使用加速配置，env文件中就不要出现下面的配置项
 LLM_BOOST_API_KEY=your_api_key_here
 LLM_BOOST_BASE_URL=your_base_url_here
-LLM_BOOST_MODEL_NAME=your_model_name_here
\ No newline at end of file
+LLM_BOOST_MODEL_NAME=your_model_name_here
+
+# ===== Flask配置（可选）=====
+# SECRET_KEY=your-secret-key-here
+# FLASK_DEBUG=False
+# CORS_ORIGINS=http://localhost:3000,http://localhost:5173
+# FLASK_HOST=127.0.0.1
diff --git a/backend/app/__init__.py b/backend/app/__init__.py
index aba624bb..62912f2a 100644
--- a/backend/app/__init__.py
+++ b/backend/app/__init__.py
@@ -40,7 +40,7 @@ def create_app(config_class=Config):
         logger.info("=" * 50)
     
     # 启用CORS
-    CORS(app, resources={r"/api/*": {"origins": "*"}})
+    CORS(app, resources={r"/api/*": {"origins": config_class.CORS_ORIGINS}})
     
     # 注册模拟进程清理函数（确保服务器关闭时终止所有模拟进程）
     from .services.simulation_runner import SimulationRunner
@@ -60,6 +60,9 @@ def create_app(config_class=Config):
     def log_response(response):
         logger = get_logger('mirofish.request')
         logger.debug(f"响应: {response.status_code}")
+        response.headers['X-Content-Type-Options'] = 'nosniff'
+        response.headers['X-Frame-Options'] = 'DENY'
+        response.headers['X-XSS-Protection'] = '1; mode=block'
         return response
     
     # 注册蓝图
diff --git a/backend/app/config.py b/backend/app/config.py
index 953dfa50..cc7f53f4 100644
--- a/backend/app/config.py
+++ b/backend/app/config.py
@@ -21,8 +21,15 @@ class Config:
     """Flask配置类"""
     
     # Flask配置
-    SECRET_KEY = os.environ.get('SECRET_KEY', 'mirofish-secret-key')
-    DEBUG = os.environ.get('FLASK_DEBUG', 'True').lower() == 'true'
+    SECRET_KEY = os.environ.get('SECRET_KEY')
+    if not SECRET_KEY:
+        import secrets
+        SECRET_KEY = secrets.token_hex(32)
+
+    DEBUG = os.environ.get('FLASK_DEBUG', 'False').lower() == 'true'
+
+    # CORS configuration
+    CORS_ORIGINS = os.environ.get('CORS_ORIGINS', 'http://localhost:3000').split(',')
     
     # JSON配置 - 禁用ASCII转义，让中文直接显示（而不是 \uXXXX 格式）
     JSON_AS_ASCII = False
diff --git a/backend/run.py b/backend/run.py
index 4e3b04fa..8a3ade9f 100644
--- a/backend/run.py
+++ b/backend/run.py
@@ -37,7 +37,7 @@ def main():
     app = create_app()
     
     # 获取运行配置
-    host = os.environ.get('FLASK_HOST', '0.0.0.0')
+    host = os.environ.get('FLASK_HOST', '127.0.0.1')
     port = int(os.environ.get('FLASK_PORT', 5001))
     debug = Config.DEBUG