feat(security): enforce HTTPS for public/browser-facing URLs in production#283
Merged
Conversation
7 tasks
…ction - Add requireHttpsInProduction helper to app-frontend and marketing-site - Validate NEXT_PUBLIC_API_URL uses HTTPS in production via next.config.ts - Validate PUBLIC_APP_URL uses HTTPS in production via marketing-site config.ts - Add unit tests for both URL validation helpers (18 tests total) All server-only Docker network URLs (http://core-api:5000, etc.) are correctly classified as safe — they communicate over private Docker networks and never reach a browser. Closes: S5332 SonarCloud hotspots for public-facing URLs" Agent-Logs-Url: https://github.com/NickLetts2/Curvit/sessions/d94c2413-0222-438c-8feb-754db10cd98d Co-authored-by: NickLetts2 <90337962+NickLetts2@users.noreply.github.com>
…ocument Astro dual-detection rationale Agent-Logs-Url: https://github.com/NickLetts2/Curvit/sessions/d94c2413-0222-438c-8feb-754db10cd98d Co-authored-by: NickLetts2 <90337962+NickLetts2@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix security hotspots by replacing HTTP with HTTPS
feat(security): enforce HTTPS for public/browser-facing URLs in production
May 15, 2026
NickLetts2
added a commit
that referenced
this pull request
Jun 1, 2026
feat(security): enforce HTTPS for public/browser-facing URLs in production
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SonarCloud S5332 flagged HTTP URLs across several API client files. After classification, all flagged defaults (
http://core-api:5000,http://billing-service:8000, etc.) are server-only Docker-network URLs — safe as HTTP. The two genuinely browser-facing variables (NEXT_PUBLIC_API_URL,PUBLIC_APP_URL) had no production HTTPS enforcement.Classification
http://core-api:5000,http://*-service:8000http://app-frontend:3000(marketing-siteinternalAppUrl)http://127.0.0.1:41017(billing.ts)PLAYWRIGHT_E2E=1guard)NEXT_PUBLIC_API_URL,PUBLIC_APP_URLChanges
src/lib/url-validation.ts(both apps) —requireHttpsInProduction(name, value)helper: throws in production if the value starts withhttp://, no-ops in dev/test.apps/app-frontend/next.config.ts— callsrequireHttpsInProduction('NEXT_PUBLIC_API_URL', ...)at startup inside the existing production env-var validation block (fail-closed before the server accepts traffic).apps/marketing-site/src/config.ts— wrapsappUrlwith the helper;internalAppUrlis intentionally left unvalidated (Docker-internal only). The marketing-site variant also checksimport.meta.env.PRODbecause Astro sets that flag during SSG builds beforeNODE_ENVpropagates.18 unit tests (9 per app) covering: throws on
http://in production, passes onhttps://in production, passes onhttp://localhostin dev/test.