Skip to content

Commit 9fbbd22

Browse files
PiccirelloPiccirello
committed
refactor(hobby): use dedicated browserless token instead of POSTHOG_SECRET
Fresh installs generate a separate BROWSERLESS_SECRET so the rendering container (which loads untrusted web pages) never holds Django's SECRET_KEY. The compose file falls back to POSTHOG_SECRET for existing installs whose .env predates the variable.
1 parent 02c7ca1 commit 9fbbd22

2 files changed

Lines changed: 10 additions & 5 deletions

File tree

bin/deploy-hobby

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -134,9 +134,14 @@ if [ -f .env ]; then
134134
else
135135
POSTHOG_SECRET=$(head -c 28 /dev/urandom | sha224sum -b | head -c 56)
136136
ENCRYPTION_SALT_KEYS=$(openssl rand -hex 16)
137+
# Dedicated browserless token so a compromise of the rendering container can't yield
138+
# Django's SECRET_KEY (the compose file falls back to POSTHOG_SECRET when unset, for
139+
# installs whose .env predates this variable).
140+
BROWSERLESS_SECRET=$(openssl rand -hex 32)
137141
cat > .env <<EOF
138142
POSTHOG_SECRET=$POSTHOG_SECRET
139143
ENCRYPTION_SALT_KEYS=$ENCRYPTION_SALT_KEYS
144+
BROWSERLESS_SECRET=$BROWSERLESS_SECRET
140145
DOMAIN=$DOMAIN
141146
TLS_BLOCK=$TLS_BLOCK
142147
REGISTRY_URL=$REGISTRY_URL

docker-compose.hobby.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -104,9 +104,9 @@ services:
104104
PERSONHOG_ENABLED: 'true'
105105
PERSONHOG_ROLLOUT_PERCENTAGE: '100'
106106
BROWSERLESS_CDP_URL: 'ws://browserless:3000'
107-
BROWSERLESS_TOKEN: $POSTHOG_SECRET
107+
BROWSERLESS_TOKEN: ${BROWSERLESS_SECRET:-$POSTHOG_SECRET}
108108
HEATMAP_BROWSERLESS_URL: 'http://browserless:3000'
109-
HEATMAP_BROWSERLESS_TOKEN: $POSTHOG_SECRET
109+
HEATMAP_BROWSERLESS_TOKEN: ${BROWSERLESS_SECRET:-$POSTHOG_SECRET}
110110
# blockConsentModals is a browserless.io cloud API extension; the OSS image 400s on it
111111
HEATMAP_BROWSERLESS_BLOCK_CONSENT_MODALS: 'false'
112112
image: $REGISTRY_URL:$POSTHOG_APP_TAG
@@ -344,7 +344,7 @@ services:
344344
restart: on-failure
345345
logging: *default-logging
346346
environment:
347-
TOKEN: $POSTHOG_SECRET
347+
TOKEN: ${BROWSERLESS_SECRET:-$POSTHOG_SECRET}
348348

349349
asyncmigrationscheck:
350350
extends:
@@ -406,9 +406,9 @@ services:
406406
SITE_URL: https://$DOMAIN
407407
SECRET_KEY: $POSTHOG_SECRET
408408
BROWSERLESS_CDP_URL: 'ws://browserless:3000'
409-
BROWSERLESS_TOKEN: $POSTHOG_SECRET
409+
BROWSERLESS_TOKEN: ${BROWSERLESS_SECRET:-$POSTHOG_SECRET}
410410
HEATMAP_BROWSERLESS_URL: 'http://browserless:3000'
411-
HEATMAP_BROWSERLESS_TOKEN: $POSTHOG_SECRET
411+
HEATMAP_BROWSERLESS_TOKEN: ${BROWSERLESS_SECRET:-$POSTHOG_SECRET}
412412
# blockConsentModals is a browserless.io cloud API extension; the OSS image 400s on it
413413
HEATMAP_BROWSERLESS_BLOCK_CONSENT_MODALS: 'false'
414414
depends_on:

0 commit comments

Comments
 (0)