Skip to content

Misc fixes and improvements [production ready] #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
randshell wants to merge 31 commits into
base: main
Choose a base branch
from
Open

Misc fixes and improvements [production ready] #64

randshell wants to merge 31 commits into from

Conversation

@randshell
Copy link

@randshell randshell commented Jan 15, 2026
edited
Loading

This work has been done as part of @BeDefended.

This is an attempt to revive the project by fixing a few known issues. Summary of updates:

  • The missing env vars are added from Is there a dev.env template missing? #36 (comment).
  • Fixed local storage for screenshots, similar to Update api.js and docker-compose.yml #47 (comment).
  • The google OAuth was disabled to make it easier to deploy this in a single user scenario with no need to rely on a google account. Just click on login button and the session will be automatically created.
  • Due to the previous point, the admin control panel and the public XSS API are now running on separate ports, so that it's possible to firewall the control panel off.
  • The new env file to edit is .env and is, as such, hidden.
  • Email sending switched back from SendGrid to SMTP

Compared to the last MR #62, a few more fixes have been done. Moreover, I've tested the whole MR in a production environment, thus with TLS certificate and email sending functionality, and it should work. The README however needs updating, but reading the comments in the ENV files and Docker compose should already hint at what needs to be adjusted before deploying. Also, these changes are meant for a rootless Docker install, which is the only scenario where this has been tested.

Known bugs / todos:

  • The login page is still present, even though it's not needed now.
  • TLS certificate needs to be already present as there's no scripts to facilitate that (yet?).
  • Vanilla install: no cloud storage tested.

@randshell
Update compose file
6c9cf02 
- fix volumes tag
- increase healthcheck interval
- pin postgres to v16
- remove version tag
@randshell
Update compose file
4005a5f 
- fix volumes tag
- increase healthcheck interval
- pin postgres to v16
- remove version tag
@randshell
Remove authentication for the control panel
bf948d3
@randshell
Add template for the env vars
70cbd9c
@randshell
Add template for the env vars
5fda9bf
@randshell
Separate the Control Panel to use a different listening port
3103eae
@randshell
Merge branch 'removeAuth'
c4d7c1d 
# Conflicts:
#	config.env
#	docker-compose.yml
@randshell
Try removing check on the hostname
7a302e5 
shouldn't be needed since we have the control panel on a different port
@randshell
Use the server's port in the payloads
82b8cc5
@randshell
Move folder volumes to named volumes
51d4683 
Also add file access permissions
@randshell
Fix port handling in the JS callback
6dd3251
@randshell
Fix Docker volumes permissions
9d2731e
@randshell
Fix local screenshots path
5e629c1
@randshell
Fix local screenshots path
530a5a4
@randshell
Add missing body parser in the API
8d8cf26
@randshell
Add / route to the API
0489542
@randshell
More screenshots related fixes
40101ec
@randshell
Add Caddy web server
7ca656a
@randshell
Fix previous commit
23bfd7d
@randshell
Change to nginx
b1f22ac
@randshell
Improve env handling
500d28b
@randshell
Fix hostnames
7e6c399
@randshell
Fix compose file and env variables
a3ed2f3
@randshell
Fix nginx and add letsencrypt volume
0f5f85b
@randshell
Remove blur and improve preview layout
0e2c79e
@randshell
Fix xss payload URL
7b19be0
@randshell
Fix chown command in Dockerfile
3a30fbc
@randshell
Switch from SendGrid back to SMTP
746cc2d
@randshell
Update email template
1f117a6
@randshell
Fix victim's API retrieval
000b88f 
Please see the official docs for preserving IP on a Docker rootless install
https://docs.docker.com/engine/security/rootless/troubleshoot/#docker-run--p-does-not-propagate-source-ip-addresses
@randshell randshell requested a review from a team as a code owner January 15, 2026 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@randshell