denshooter
fd49095710
All checks were successful
Dev Deployment (Zero Downtime) / deploy-dev (push) Successful in 13m33s
Build Optimizations: - Enable Docker BuildKit cache for faster builds (7min → 3-4min) - Add .dockerignore to reduce build context - Optimize Dockerfile with better layer caching - Run linting and tests in parallel - Skip blocking checks for dev deployments Rollback Functionality: - Add rollback.sh script to restore previous versions - Supports both production and dev environments - Automatic health checks after rollback Security Improvements: - Add authentication to n8n/generate-image endpoint - Add rate limiting to all n8n endpoints (10-30 req/min) - Create email obfuscation utilities - Add ObfuscatedEmail React component - Document security best practices Files: - .dockerignore - Faster builds - scripts/rollback.sh - Rollback functionality - lib/email-obfuscate.ts - Email obfuscation utilities - components/ObfuscatedEmail.tsx - React component - SECURITY_IMPROVEMENTS.md - Security documentation
3.2 KiB
3.2 KiB
🔒 Security Improvements
Implemented Security Features
1. n8n API Endpoint Protection
All n8n endpoints are now protected with:
- Authentication: Admin authentication required for sensitive endpoints (
/api/n8n/generate-image) - Rate Limiting:
/api/n8n/generate-image: 10 requests/minute/api/n8n/chat: 20 requests/minute/api/n8n/status: 30 requests/minute
2. Email Obfuscation
Email addresses can now be obfuscated to prevent automated scraping:
import { createObfuscatedMailto } from '@/lib/email-obfuscate';
import { ObfuscatedEmail } from '@/components/ObfuscatedEmail';
// React component
<ObfuscatedEmail email="contact@dk0.dev">Contact Me</ObfuscatedEmail>
// HTML string
const mailtoLink = createObfuscatedMailto('contact@dk0.dev', 'Email Me');
How it works:
- Emails are base64 encoded in the HTML
- JavaScript decodes them on click
- Prevents simple regex-based email scrapers
- Still functional for real users
3. URL Obfuscation
Sensitive URLs can be obfuscated:
import { createObfuscatedLink } from '@/lib/email-obfuscate';
const link = createObfuscatedLink('https://sensitive-url.com', 'Click Here');
4. Rate Limiting
All API endpoints have rate limiting:
- Prevents brute force attacks
- Protects against DDoS
- Configurable per endpoint
Code Obfuscation
Note: Full code obfuscation for Next.js is not recommended because:
- Next.js already minifies code in production builds
- Obfuscation breaks source maps (harder to debug)
- Performance impact (slower execution)
- Not effective - determined attackers can still reverse engineer
- Maintenance burden - harder to debug issues
Better alternatives:
- ✅ Minification (already enabled in Next.js)
- ✅ Environment variables for secrets
- ✅ Server-side rendering (code not exposed)
- ✅ API authentication
- ✅ Rate limiting
- ✅ Security headers
Best Practices
For Email Protection:
- Use obfuscated emails in public HTML
- Use contact forms instead of direct mailto links
- Monitor for spam patterns
For API Protection:
- Always require authentication for sensitive endpoints
- Use rate limiting
- Log suspicious activity
- Use HTTPS only
- Validate all inputs
For Webhook Protection:
- Use secret tokens (
N8N_SECRET_TOKEN) - Verify webhook signatures
- Rate limit webhook endpoints
- Monitor webhook usage
Implementation Status
- ✅ n8n endpoints protected with auth + rate limiting
- ✅ Email obfuscation utility created
- ✅ URL obfuscation utility created
- ✅ Rate limiting on all n8n endpoints
- ⚠️ Email obfuscation not yet applied to pages (manual step)
- ⚠️ Code obfuscation not implemented (not recommended)
Next Steps
To apply email obfuscation to your pages:
- Import the utility:
import { ObfuscatedEmail } from '@/lib/email-obfuscate';
- Replace email links:
// Before
<a href="mailto:contact@dk0.dev">Contact</a>
// After
<ObfuscatedEmail email="contact@dk0.dev">Contact</ObfuscatedEmail>
- For static HTML, use the string function:
const html = createObfuscatedMailto('contact@dk0.dev', 'Email Me');