Skip to content

Remove image proxy, add ESLint, fix security issues#398

Draft
mohanadft wants to merge 2 commits intomainfrom
security-and-cleanup
Draft

Remove image proxy, add ESLint, fix security issues#398
mohanadft wants to merge 2 commits intomainfrom
security-and-cleanup

Conversation

@mohanadft
Copy link
Copy Markdown
Collaborator

@mohanadft mohanadft commented Mar 30, 2026
edited
Loading

Summary

  • Remove Cloudflare image proxy — deleted cloudflare-worker/ and src/utils/imageProxy.ts; notionClient.ts now uses direct Notion file URLs
  • Security fixes — block javascript:/data: URLs in RichTextRenderer, clamp postMessage iframe height in donate page, add X-Content-Type-Options/X-Frame-Options/Referrer-Policy headers to middleware, fix middleware overriding API routes' no-cache headers, remove PUBLIC_SECRET_KEY console leak in api.ts
  • Cleanup — strip verbose/sensitive console.log calls from notionClient.ts and Events.tsx
  • Tooling — add ESLint config (eslint.config.js) and .env.example
  • Accessibility — add missing alt attributes on images in ProjectsList

Test plan

  • Events page loads and images display (now using direct Notion URLs, no proxy)
  • Event image fallback still works on broken image URLs
  • Donate page iframe resizes correctly
  • Check response headers include X-Content-Type-Options, X-Frame-Options, Referrer-Policy
  • API routes (/api/events, etc.) still return no-cache headers (not overridden by middleware)
  • pnpm lint runs without errors

@mohanadft
Remove image proxy, add ESLint, fix security issues
05c59fc 
- Remove Cloudflare image proxy worker and imageProxy utility; use direct
  Notion URLs instead
- Strip verbose/sensitive console.log calls from notionClient, Events,
  and api.ts (including PUBLIC_SECRET_KEY leak)
- Add security headers to middleware (X-Content-Type-Options,
  X-Frame-Options, Referrer-Policy); fix Cache-Control override of
  API routes' no-cache headers
- Validate URLs in RichTextRenderer to block javascript:/data: injection
- Clamp postMessage iframe height in donate page (100–5000px)
- Add ESLint config and .env.example
- Fix missing alt attributes on images in ProjectsList
@mohanadft
Merge branch 'main' into security-and-cleanup
f34a7e7
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Mar 30, 2026
edited
Loading

Deploying website with  Cloudflare Pages  Cloudflare Pages

Latest commit: f34a7e7
Status: ✅  Deploy successful!
Preview URL: https://26ef3f69.website-aun.pages.dev
Branch Preview URL: https://security-and-cleanup.website-aun.pages.dev

View logs

@mohanadft mohanadft self-assigned this Mar 30, 2026
@mohanadft mohanadft marked this pull request as draft March 30, 2026 07:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mohanadft mohanadft

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mohanadft