Skip to content

ZCU-PUB/filter config.json before exposing it#1067

Merged
milanmajchrak merged 3 commits into
customer/zcu-pubfrom
zcu-pub/filter-exposed-config
Oct 31, 2025
Merged

ZCU-PUB/filter config.json before exposing it#1067
milanmajchrak merged 3 commits into
customer/zcu-pubfrom
zcu-pub/filter-exposed-config

Conversation

@jr-rk

@jr-rk jr-rk commented Oct 30, 2025
edited
Loading

Copy link
Copy Markdown
Phases MP MM MB MR JM Total
ETA 0 0 0 0 0 0
Developing 0 0 0 0 0 0
Review 0 0 0 0 0 0
Total - - - - - 0
ETA est. 0
ETA cust. - - - - - 0

Problem description

Eliminating the security risk of exposing sensitive server-side configuration data to the frontend, by filtering the config object to only include client-necessary settings before writing to config.json.
based on #1059

@jr-rk jr-rk self-assigned this Oct 30, 2025
@jr-rk

jr-rk commented Oct 30, 2025

Copy link
Copy Markdown
Author

@milanmajchrak I have removed these lines, because they are missing in AppConfig (app-config.interface.ts)

liveRegion: appConfig.liveRegion,
search: appConfig.search,
accessibility: appConfig.accessibility,
// Matomo analytics - only expose client-side tracking properties
...(appConfig.matomo && {
    matomo: {
        hostUrl: appConfig.matomo.hostUrl,
        siteId: appConfig.matomo.siteId,
        dimensionId: appConfig.matomo.dimensionId,
    },
}),

Copilot AI reviewed Oct 30, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces config sanitization to prevent exposing sensitive server-side configuration to the frontend. Instead of writing the complete appConfig to the destination file, it now creates a publicConfig object that includes only client-side relevant settings.

  • Creates a sanitized public config object that excludes server-side sensitive data
  • Filters out cache, actuators, and server connection details (host, port, SSL settings)
  • Retains only frontend-needed properties like API endpoints, auth timeouts, and feature configurations

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/config/config.server.ts
Comment thread src/config/config.server.ts
@jr-rk

jr-rk commented Oct 30, 2025

Copy link
Copy Markdown
Author

Frontend requires cache.msToLive and cache.control settings to function
properly. Excludes server-side cache settings (serverSide, autoSync) while
including client-necessary cache configuration.

(same as on dev-5:)
image

@jr-rk jr-rk mentioned this pull request Oct 30, 2025
Merged
@milanmajchrak milanmajchrak merged commit eeb1ab8 into customer/zcu-pub Oct 31, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@milanmajchrak milanmajchrak Awaiting requested review from milanmajchrak

Assignees

@jr-rk jr-rk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jr-rk @milanmajchrak