fix : DAST security issue.

2025-10-27 16:30:10 +05:30
parent 7ba258dc21
commit 8bf603544f
5 changed files with 63 additions and 22 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -11,13 +11,13 @@
 - >Logout popup :
   - >Are you sure want to logout?
 - >Home page password Expiry message
- Set userId and login with userID
+- >Set userId and login with userID
 - Limit of transaction daily  --Asif
 - >Statement Download
 - >In Every OTP page "Resend button" & 3 min timing of expiry.
 - >OTP binding with actual mobile number.
 - >Beneficiary delete feature
- IN settings page NOTE position Fixing.
+- >IN settings page NOTE position Fixing.
 - >Admin page 
   - >give rights
   - >view rights 
@@ -25,7 +25,7 @@
 <!-- - >For Migration if user not have password -->
 - E-mandate
 <!-- - Make every page responsive (need to check settings and payment tab) -->
- Locked (3 times wrong password in time of login)
+- >Locked (3 times wrong password in time of login)
 - >session timeout
 - >login time otp
 <!-- - narration   (in statement) Last 10 transaction the remarks not comes from subham sites-->
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -1,21 +1,66 @@
 /** @type {import('next').NextConfig} */
-
 import os from "os";
 const isWindows = os.platform() === "win32";

+// Security headers
+const securityHeaders = [
+    {
+        key: "Content-Security-Policy",
+        value: `
+      default-src 'self';
+      script-src 'self' 'unsafe-inline' 'unsafe-eval';
+      style-src 'self' 'unsafe-inline';
+      img-src 'self' data:;
+      font-src 'self';
+      connect-src 'self' http://localhost:8080 https://yourdomain.com;
+      frame-ancestors 'none';
+      object-src 'none';
+      base-uri 'self';
+      form-action 'self';
+    `.replace(/\n/g, ""), // remove newlines
+    },
+    {
+        key: "Referrer-Policy",
+        value: "strict-origin-when-cross-origin",
+    },
+    {
+        key: "X-Content-Type-Options",
+        value: "nosniff",
+    },
+    {
+        key: "X-Frame-Options",
+        value: "DENY",
+    },
+    {
+        key: "Permissions-Policy",
+        value: "camera=(), microphone=(), geolocation=()",
+    },
+];
+
 const nextConfig = {
+    // Hide "X-Powered-By: Next.js"
+    poweredByHeader: false,
    experimental: {
        serverComponentsExternalPackages: ["typeorm", "knex"],
    },
    reactStrictMode: true,
-    // For port transfer
+
    async rewrites() {
        return [
            {
-                source: '/api/:path*',
+                source: "/api/:path*",
                destination: isWindows
-                    ? "http://localhost:8080/api/:path*"       // For Windows
-                    : "http://localhost:8080/api/:path*",  // For Linux/Mac/Server
+                    ? "http://localhost:8080/api/:path*" // For Windows
+                    : "http://localhost:8080/api/:path*", // For Linux/Mac/Server
+            },
+        ];
+    },
+
+    async headers() {
+        return [
+            {
+                source: "/(.*)", // Apply to all routes
+                headers: securityHeaders,
            },
        ];
    },
--- a/src/app/(main)/funds_transfer/page.tsx
+++ b/src/app/(main)/funds_transfer/page.tsx
@@ -286,20 +286,14 @@ export default function QuickPay() {
          message: "Transaction successful",
          color: "green",
        });
-        setShowTxnPassword(false);
-        setTxnPassword("");
-        setShowOtpField(false);
-        setOtp("");
-        setValidationStatus(null);
-        setBeneficiaryName(null);
-        setTimerActive(false);
-        setCountdown(180);
+        return;
      } else {
        notifications.show({
          title: "Error",
          message: result?.error || "Transaction failed",
          color: "red",
        });
+        return;
      }
    } catch {
      notifications.show({
@@ -314,6 +308,8 @@ export default function QuickPay() {
      setBeneficiaryName('');
      setConfirmBeneficiaryAcc('');
      setBeneficiaryType(null);
+      setTxnPassword("");
+      setOtp("");
      setAmount('');
      setRemarks('');
      setIsVisibilityLocked(false);
--- a/src/app/_util/otp.ts
+++ b/src/app/_util/otp.ts
@@ -14,8 +14,8 @@ interface SendOtpPayload {
 }

 function getStoredMobileNumber(): string {
-  // const mobileNumber = localStorage.getItem('remitter_mobile_no');
-  const mobileNumber = "7890544527";
+  const mobileNumber = localStorage.getItem('remitter_mobile_no');
+  // const mobileNumber = "7890544527";
  if (!mobileNumber) throw new Error('Mobile number not found.');
  return mobileNumber;
 }
--- a/src/app/login/page.tsx
+++ b/src/app/login/page.tsx
@@ -45,8 +45,8 @@ export default function Login() {
        }

        try {
-            // await sendOtp({ type: 'LOGIN_OTP', username: CIF, mobileNumber: mobile });
-            await sendOtp({ type: 'LOGIN_OTP', username: CIF, mobileNumber: "7890544527" });
+            await sendOtp({ type: 'LOGIN_OTP', username: CIF, mobileNumber: mobile });
+            // await sendOtp({ type: 'LOGIN_OTP', username: CIF, mobileNumber: "7890544527" });
            notifications.show({
                color: 'orange',
                title: 'OTP Required',
@@ -67,8 +67,8 @@ export default function Login() {
    async function handleVerifyOtp(mobile?: string) {
        try {
            if (mobile) {
-                // await verifyLoginOtp(otp, mobile);
-                await verifyLoginOtp(otp, '7890544527');
+                await verifyLoginOtp(otp, mobile);
+                // await verifyLoginOtp(otp, '7890544527');
                return true;
            }
        }