docs: tighten deployment and hardening guidance

mowens3 · mowens3 · commit fa86022028cb · 2026-01-03T13:55:39.000-08:00
diff --git a/MIGRATION.md b/MIGRATION.md
@@ -316,6 +316,9 @@ The resolver is safe, but it’s still an extra lookup. Treat it like part of yo
 **Cloudflare (high-level)**
 
 - Add a Rate Limiting rule or WAF rule for `/jsonapi/resolve*` and `/jsonapi/*` (block or managed challenge after a threshold).
+- Example expressions:
+  - Resolver: `http.request.uri.path eq "/jsonapi/resolve"`
+  - JSON:API: `starts_with(http.request.uri.path, "/jsonapi/")`
 
 **nginx (example)**
 
@@ -334,6 +337,16 @@ location ^~ /jsonapi/ {
 }
 ```
 
+### 1b) Forward auth headers (when using a proxy)
+
+If you use authenticated JSON:API requests (Basic/OAuth/JWT), ensure your proxy forwards the `Authorization` header to Drupal.
+
+**nginx**
+
+```nginx
+proxy_set_header Authorization $http_authorization;
+```
+
 ### 2) Prevent image-host abuse (Next.js)
 
 In production, always restrict remote images to your Drupal host:
@@ -346,6 +359,16 @@ In production, always restrict remote images to your Drupal host:
 - Set `trusted_host_patterns` in Drupal `settings.php` (prevents Host-header injection issues).
 - Set “Drupal URL” in the module settings so generated `drupal_url` values are deterministic.
 
+Example `settings.php`:
+
+```php
+$settings['trusted_host_patterns'] = [
+  '^example\\.com$',
+  '^www\\.example\\.com$',
+  '^cms\\.example\\.com$',
+];
+```
+
 ### 4) Keep secrets out of config exports
 
 This module avoids storing secrets in config exports (config sync). Secrets are stored in Drupal state by default, and you can optionally override them in `settings.php` for deterministic deploys:
diff --git a/README.md b/README.md
@@ -98,6 +98,15 @@ Typical settings:
 
 For deployment and migration examples, see `MIGRATION.md`.
 
+## Production checklist
+
+- Set “Drupal URL” so `drupal_url` is deterministic (don’t rely on Host headers).
+- Set `trusted_host_patterns` in `settings.php`.
+- If using `nextjs_first`, set `X-Proxy-Secret` and keep it in env/`settings.php` (not config exports).
+- Rate limit `/jsonapi/resolve*` and `/jsonapi/*` at the edge (Cloudflare/nginx) to prevent path brute-force load.
+- If using authenticated JSON:API, keep credentials server-side and never cache authenticated responses.
+- For Next.js images, restrict remote domains (`DRUPAL_IMAGE_DOMAIN` in the starter).
+
 ## Supported content
 
 - **Entities:** any canonical content entity route exposed by JSON:API (nodes, terms, media, users, and custom entities)
diff --git a/composer.json b/composer.json
@@ -24,11 +24,5 @@
   ],
   "require": {
     "drupal/core": "^10 || ^11"
-  },
-  "extra": {
-    "drupal": {
-      "version": "1.0.7",
-      "datestamp": ""
-    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -24,11 +24,5 @@`
`24`	`24`	`],`
`25`	`25`	`"require": {`
`26`	`26`	`"drupal/core": "^10 \|\| ^11"`
`27`		`- },`
`28`		`- "extra": {`
`29`		`- "drupal": {`
`30`		`- "version": "1.0.7",`
`31`		`- "datestamp": ""`
`32`		`- }`
`33`	`27`	`}`
`34`	`28`	`}`