Production hardening: CSP, rate limit, env validation, health gating, Render blueprint, DEPLOYMENT.md

2026-05-09 21:43:43 -07:00
parent da3e48a874
commit dcdf315244
8 changed files with 343 additions and 2 deletions
--- a/render.yaml
+++ b/render.yaml
@@ -0,0 +1,37 @@
+# Render Blueprint — https://render.com/docs/blueprint-spec
+#
+# Deploy this app as a Web Service on Render. Push to your default branch
+# triggers a deploy. Set the four CIVI_* env vars in the Render dashboard
+# (mark them as "Sync: false" so they're not overwritten by this file).
+
+services:
+  - type: web
+    name: coop-checkin
+    runtime: node
+    plan: starter
+    region: oregon
+    buildCommand: npm ci && npm run build
+    startCommand: npm run start
+    healthCheckPath: /healthz
+    envVars:
+      - key: NODE_ENV
+        value: production
+      - key: NODE_VERSION
+        value: "20"
+      # Set these manually in the Render dashboard (UI → Environment).
+      # Marked sync:false so they're not echoed in this committed file.
+      - key: CIVI_BASE_URL
+        sync: false
+      - key: CIVI_API_KEY
+        sync: false
+      - key: CIVI_SITE_KEY
+        sync: false
+      - key: CIVI_HTTP_AUTH_USER
+        sync: false
+      - key: CIVI_HTTP_AUTH_PASS
+        sync: false
+      - key: HEALTH_TOKEN
+        sync: false
+      - key: PUBLIC_ORIGIN
+        sync: false
+    autoDeploy: true