fix: secure production defaults
- Default DEBUG to False instead of True - Generate random SECRET_KEY if not set (no hardcoded fallback) - Configure CORS origins from env instead of wildcard - Default host to 127.0.0.1 instead of 0.0.0.0 - Add security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection)
This commit is contained in:
Nyk
parent
985f89f49a
commit
1413b9c01b
|
|
@ -13,4 +13,10 @@ ZEP_API_KEY=your_zep_api_key_here
|
||||||
# 注意如果不使用加速配置,env文件中就不要出现下面的配置项
|
# 注意如果不使用加速配置,env文件中就不要出现下面的配置项
|
||||||
LLM_BOOST_API_KEY=your_api_key_here
|
LLM_BOOST_API_KEY=your_api_key_here
|
||||||
LLM_BOOST_BASE_URL=your_base_url_here
|
LLM_BOOST_BASE_URL=your_base_url_here
|
||||||
LLM_BOOST_MODEL_NAME=your_model_name_here
|
LLM_BOOST_MODEL_NAME=your_model_name_here
|
||||||
|
|
||||||
|
# ===== Flask配置(可选)=====
|
||||||
|
# SECRET_KEY=your-secret-key-here
|
||||||
|
# FLASK_DEBUG=False
|
||||||
|
# CORS_ORIGINS=http://localhost:3000,http://localhost:5173
|
||||||
|
# FLASK_HOST=127.0.0.1
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ def create_app(config_class=Config):
|
||||||
logger.info("=" * 50)
|
logger.info("=" * 50)
|
||||||
|
|
||||||
# 启用CORS
|
# 启用CORS
|
||||||
CORS(app, resources={r"/api/*": {"origins": "*"}})
|
CORS(app, resources={r"/api/*": {"origins": config_class.CORS_ORIGINS}})
|
||||||
|
|
||||||
# 注册模拟进程清理函数(确保服务器关闭时终止所有模拟进程)
|
# 注册模拟进程清理函数(确保服务器关闭时终止所有模拟进程)
|
||||||
from .services.simulation_runner import SimulationRunner
|
from .services.simulation_runner import SimulationRunner
|
||||||
|
|
@ -60,6 +60,9 @@ def create_app(config_class=Config):
|
||||||
def log_response(response):
|
def log_response(response):
|
||||||
logger = get_logger('mirofish.request')
|
logger = get_logger('mirofish.request')
|
||||||
logger.debug(f"响应: {response.status_code}")
|
logger.debug(f"响应: {response.status_code}")
|
||||||
|
response.headers['X-Content-Type-Options'] = 'nosniff'
|
||||||
|
response.headers['X-Frame-Options'] = 'DENY'
|
||||||
|
response.headers['X-XSS-Protection'] = '1; mode=block'
|
||||||
return response
|
return response
|
||||||
|
|
||||||
# 注册蓝图
|
# 注册蓝图
|
||||||
|
|
|
||||||
|
|
@ -21,8 +21,15 @@ class Config:
|
||||||
"""Flask配置类"""
|
"""Flask配置类"""
|
||||||
|
|
||||||
# Flask配置
|
# Flask配置
|
||||||
SECRET_KEY = os.environ.get('SECRET_KEY', 'mirofish-secret-key')
|
SECRET_KEY = os.environ.get('SECRET_KEY')
|
||||||
DEBUG = os.environ.get('FLASK_DEBUG', 'True').lower() == 'true'
|
if not SECRET_KEY:
|
||||||
|
import secrets
|
||||||
|
SECRET_KEY = secrets.token_hex(32)
|
||||||
|
|
||||||
|
DEBUG = os.environ.get('FLASK_DEBUG', 'False').lower() == 'true'
|
||||||
|
|
||||||
|
# CORS configuration
|
||||||
|
CORS_ORIGINS = os.environ.get('CORS_ORIGINS', 'http://localhost:3000').split(',')
|
||||||
|
|
||||||
# JSON配置 - 禁用ASCII转义,让中文直接显示(而不是 \uXXXX 格式)
|
# JSON配置 - 禁用ASCII转义,让中文直接显示(而不是 \uXXXX 格式)
|
||||||
JSON_AS_ASCII = False
|
JSON_AS_ASCII = False
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ def main():
|
||||||
app = create_app()
|
app = create_app()
|
||||||
|
|
||||||
# 获取运行配置
|
# 获取运行配置
|
||||||
host = os.environ.get('FLASK_HOST', '0.0.0.0')
|
host = os.environ.get('FLASK_HOST', '127.0.0.1')
|
||||||
port = int(os.environ.get('FLASK_PORT', 5001))
|
port = int(os.environ.get('FLASK_PORT', 5001))
|
||||||
debug = Config.DEBUG
|
debug = Config.DEBUG
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue