fix(segurança): corrigir 10 vulnerabilidades do relatório de segurança

- tokens: remover aceite de expiresAt NULL e forçar TTL de 1 ano - tokens: corrigir refresh que invalidava access token anterior - xlsx: desabilitar parsing de fórmulas (CVE-2024-44294) - csp: expandir Content-Security-Policy com origens explícitas - headers: adicionar Referrer-Policy e X-Permitted-Cross-Domain-Policies - api: retornar 401 JSON em vez de redirect 302 em rotas autenticadas - health: remover version disclosure do /api/health - robots.txt: simplificar para não expor rotas internas - sitemap: corrigir URL com protocolo duplicado - criar security.txt (RFC 9116) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-09 11:01:45 +00:00 · 2026-04-04 02:47:05 +00:00
parent fd4d90a53e
commit 10afef9fec
17 changed files with 113 additions and 52 deletions
--- a/src/app/robots.ts
+++ b/src/app/robots.ts
@@ -6,25 +6,7 @@ export default function robots(): MetadataRoute.Robots {
 			{
 				userAgent: "*",
 				allow: "/",
-				disallow: [
-					"/dashboard",
-					"/transactions",
-					"/accounts",
-					"/cards",
-					"/categories",
-					"/budgets",
-					"/payers",
-					"/notes",
-					"/insights",
-					"/calendar",
-					"/attachments",
-					"/settings",
-					"/reports",
-					"/inbox",
-					"/login",
-					"/signup",
-					"/api/",
-				],
+				disallow: "/api/",
 			},
 		],
 	};