Skip to content

refactor: enhance captcha validation and security policies#45

Merged
GTPSHAX merged 10 commits into
NgodingCik:mainfrom
GTPSHAX:main
May 17, 2026
Merged

refactor: enhance captcha validation and security policies#45
GTPSHAX merged 10 commits into
NgodingCik:mainfrom
GTPSHAX:main

Conversation

@GTPSHAX
Copy link
Copy Markdown
Contributor

@GTPSHAX GTPSHAX commented May 17, 2026

Overview

This pull request streamlines security configurations, cleans up legacy API endpoints, and makes CAPTCHA validation highly flexible. It unifies environment-based host parsing across applications and adds granular control over Content Security Policy (CSP) directives.

Key Changes

Security Middleware & CSP Updates

  • Centralized Host Parsing: Introduced a reusable parseEnvHosts helper function in both apps/api/middleware/helmet.js and apps/web/middleware/helmet.js. This eliminates code duplication when reading trusted domains from environment variables.
  • Granular CSP Rules: Expanded directives to securely allow Google Analytics and Google Tag Manager across script-src, img-src, and connect-src.
  • Environment-Specific Policies: Improved developer experience by removing the upgrade-insecure-requests directive when running in a local development environment.
  • Maintainability: Standardized policy structures using a base defaultDirectives configuration object across the codebase.

Flexible CAPTCHA Validation

  • Provider Agnosticism: Refactored handle-generate-docx.js to dynamically evaluate and accept validation from either hCaptcha or Cloudflare Turnstile.
  • Fail-Safe Fallback: The document generation handler will now gracefully skip verification if no CAPTCHA keys are configured in the environment, preventing broken workflows during local testing.

API Route Cleanup

  • Removed dead code and reduced the application attack surface by deleting the deprecated /autofill-ai and /generate-docx endpoints from apps/web/routes/api/.

How to Test

  1. Security Verification: Inspect the network headers on both the Web and API apps to verify that Google Analytics domains are permitted and that upgrade-insecure-requests is absent in development.
  2. CAPTCHA Workflow:
  • Test with hCaptcha enabled $\rightarrow$ document generation should succeed upon token verification.
  • Test with Cloudflare Turnstile enabled $\rightarrow$ document generation should succeed upon token verification.
  • Test with no CAPTCHA variables in your .env $\rightarrow$ request should bypass validation and succeed seamlessly.

GTPSHAX added 10 commits May 17, 2026 11:25
@GTPSHAX
fix: add environment variable checks for hCaptcha and Cloudflare Capt…
7740584 
…cha validation
@GTPSHAX
fix: reorder hCaptcha validation to ensure proper execution flow
3b1ec64
@GTPSHAX
fix: streamline captcha validation logic in document generation
bcd1770
@GTPSHAX
fix: refactor CORS trusted hosts parsing and update content security …
1ad45e4 
…policy directives
@GTPSHAX
fix: enhance content security policy directives for improved security…
9f30b35 
… and analytics integration
@GTPSHAX
fix: add Google Analytics to content security policy directives
8e92503
@GTPSHAX
fix: refactor host parsing logic for content security policy directives
d3d7a33
@GTPSHAX
fix: remove deprecated autofill-ai and generate-docx routes
0e49af0
@GTPSHAX
fix: refactor content security policy directives for improved host ha…
6f8877c 
…ndling
@GTPSHAX
fix: refactor CORS trusted hosts handling and enhance content securit…
c1bccc3 
…y policy directives
@GTPSHAX GTPSHAX merged commit 9df15c8 into NgodingCik:main May 17, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GTPSHAX