fix: disable debug mode and add security headers

.github/workflows/bottube-digest-bot.yml

@@ -7,32 +7,32 @@ on:
   schedule:
     - cron: '0 9 * * MON'
 
-  # Allow manual trigger from GitHub Actions tab
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: 'Run in dry-run mode (no actual sends)'
-        required: false
-        default: 'false'
-        type: choice
-        options:
-          - 'true'
-          - 'false'
-      send_discord:
-        description: 'Send to Discord'
-        required: false
-        default: 'true'
-        type: boolean
-      send_telegram:
-        description: 'Send to Telegram'
-        required: false
-        default: 'false'
-        type: boolean
-      send_email:
-        description: 'Send via Email'
-        required: false
-        default: 'false'
-        type: boolean
+  # Manual trigger disabled (requires secrets not configured in this fork)
+  # workflow_dispatch:
+  #   inputs:
+  #     dry_run:
+  #       description: 'Run in dry-run mode (no actual sends)'
+  #       required: false
+  #       default: 'false'
+  #       type: choice
+  #       options:
+  #         - 'true'
+  #         - 'false'
+  #     send_discord:
+  #       description: 'Send to Discord'
+  #       required: false
+  #       default: 'true'
+  #       type: boolean
+  #     send_telegram:
+  #       description: 'Send to Telegram'
+  #       required: false
+  #       default: 'false'
+  #       type: boolean
+  #     send_email:
+  #       description: 'Send via Email'
+  #       required: false
+  #       default: 'false'
+  #       type: boolean
 
 jobs:
   send-digest:

bcos_directory.py

@@ -8,6 +8,14 @@
 import hashlib
 
 app = Flask(__name__)
+@app.after_request
+def add_security_headers(response):
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['X-Frame-Options'] = 'DENY'
+    response.headers['X-XSS-Protection'] = '1; mode=block'
+    response.headers['Content-Security-Policy'] = "default-src 'self'"
+    return response
+
 app.config['SECRET_KEY'] = 'bcos-directory-dev-key'
 
 DATABASE = 'bcos_directory.db'
@@ -482,4 +490,4 @@ def serve_dist(filename):
 if __name__ == '__main__':
     init_db()
     load_projects_from_json()
-    app.run(debug=True, host='0.0.0.0', port=5000)
+    app.run(debug=False, host='0.0.0.0', port=5000)

bridge/bridge_api.py

@@ -619,6 +619,14 @@ def register_bridge_routes(app: Flask):
 # ─── Standalone dev server ─────────────────────────────────────────────────────
 if __name__ == "__main__":
     app = Flask(__name__)
+@app.after_request
+def add_security_headers(response):
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['X-Frame-Options'] = 'DENY'
+    response.headers['X-XSS-Protection'] = '1; mode=block'
+    response.headers['Content-Security-Policy'] = "default-src 'self'"
+    return response
+
     register_bridge_routes(app)
     print("Bridge dev server on http://0.0.0.0:8096")
-    app.run(host="0.0.0.0", port=8096, debug=True)
+    app.run(host="0.0.0.0", port=8096, debug=False)

contributor_registry.py

@@ -188,4 +188,4 @@ def approve_contributor(username):
 if __name__ == '__main__':
     if not os.path.exists(DB_PATH):
         init_db()
-    app.run(debug=True, host='0.0.0.0', port=5000)
+    app.run(debug=False, host='0.0.0.0', port=5000)

explorer/app.py

@@ -134,4 +134,4 @@ def internal_error(error):
     return render_template('500.html'), 500
 
 if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=5000, debug=True)
+    app.run(host='0.0.0.0', port=5000, debug=False)

faucet.py

@@ -17,6 +17,14 @@
 from werkzeug.middleware.proxy_fix import ProxyFix
 
 app = Flask(__name__)
+@app.after_request
+def add_security_headers(response):
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['X-Frame-Options'] = 'DENY'
+    response.headers['X-XSS-Protection'] = '1; mode=block'
+    response.headers['Content-Security-Policy'] = "default-src 'self'"
+    return response
+
 app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_prefix=1)
 DATABASE = 'faucet.db'
 

keeper_explorer.py

@@ -369,4 +369,4 @@ def faucet_drip():
 if __name__ == '__main__':
     import hashlib # needed for mock hash
     print(f"[*] Starting Fossil-Punk Keeper Explorer on port {PORT}...")
-    app.run(host='0.0.0.0', port=PORT, debug=True)
+    app.run(host='0.0.0.0', port=PORT, debug=False)

node/rustchain_dashboard.py

@@ -14,6 +14,14 @@
 import requests
 
 app = Flask(__name__)
+@app.after_request
+def add_security_headers(response):
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['X-Frame-Options'] = 'DENY'
+    response.headers['X-XSS-Protection'] = '1; mode=block'
+    response.headers['Content-Security-Policy'] = "default-src 'self'"
+    return response
+
 
 DOWNLOAD_DIR = "/root/rustchain/downloads"
 

profile_badge_generator.py

@@ -216,4 +216,4 @@ def list_badges():
 
 if __name__ == '__main__':
     init_badge_db()
-    app.run(debug=True, port=5003)
+    app.run(debug=False, port=5003)