fix: remove wildcard CORS from nginx electrs-status, verify security headers

Security headers already present in nginx config (X-Content-Type-Options,
X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy). Removed
Access-Control-Allow-Origin: * from electrs-status — CORS is now handled
by the backend with origin validation. Deployed and verified all headers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-11 00:54:41 +00:00
parent 2bfc36baa0
commit 5bad457922
2 changed files with 3 additions and 3 deletions

View File

@@ -126,7 +126,7 @@ server {
proxy_pass http://127.0.0.1:5678/electrs-status;
proxy_http_version 1.1;
proxy_set_header Host $host;
add_header Access-Control-Allow-Origin *;
# CORS handled by backend
}
# Proxy apps that set X-Frame-Options - strip header so iframe works
@@ -499,7 +499,7 @@ server {
proxy_pass http://127.0.0.1:5678/electrs-status;
proxy_http_version 1.1;
proxy_set_header Host $host;
add_header Access-Control-Allow-Origin *;
# CORS handled by backend
}
location /rpc/ {