fix: remove wildcard CORS from nginx electrs-status, verify security headers
Security headers already present in nginx config (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy). Removed Access-Control-Allow-Origin: * from electrs-status — CORS is now handled by the backend with origin validation. Deployed and verified all headers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -126,7 +126,7 @@ server {
|
||||
proxy_pass http://127.0.0.1:5678/electrs-status;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
# CORS handled by backend
|
||||
}
|
||||
|
||||
# Proxy apps that set X-Frame-Options - strip header so iframe works
|
||||
@@ -499,7 +499,7 @@ server {
|
||||
proxy_pass http://127.0.0.1:5678/electrs-status;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
# CORS handled by backend
|
||||
}
|
||||
|
||||
location /rpc/ {
|
||||
|
||||
Reference in New Issue
Block a user