fix: solve semgrep issues

Bulletdev · Bulletdev · commit 3adf9488a5d6 · 2026-02-28T21:38:21.000-03:00
diff --git a/.semgrepignore b/.semgrepignore
@@ -21,3 +21,13 @@ db/schema.rb
 
 # Documentation
 *.md
+
+# Legacy/archival nginx configs (no longer deployed — kept for historical reference)
+# H2C-smuggling pattern in these files is a known inherited limitation of the
+# old config; the active nginx configs (docs-page/, status-page/) do not share this.
+DOCS/legacy/
+
+# Rails development/test environment configs: detailed-exceptions is intentional
+# in non-production environments and does not represent a real security risk.
+config/environments/development.rb
+config/environments/test.rb
diff --git a/status-page/nginx.conf b/status-page/nginx.conf
@@ -22,10 +22,13 @@ server {
     }
 
     # Health check for Traefik / Coolify
+    # Use default_type instead of add_header to avoid overriding server-level
+    # security headers (nginx drops all parent add_header when a location block
+    # defines its own — semgrep rule: nginx/header-redefinition).
     location /health {
         access_log off;
+        default_type text/plain;
         return 200 "ok\n";
-        add_header Content-Type text/plain;
     }
 
     # Gzip

Original file line number	Diff line number	Diff line change
`@@ -22,10 +22,13 @@ server {`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`# Health check for Traefik / Coolify`
	`25`	`+ # Use default_type instead of add_header to avoid overriding server-level`
	`26`	`+ # security headers (nginx drops all parent add_header when a location block`
	`27`	`+ # defines its own — semgrep rule: nginx/header-redefinition).`
`25`	`28`	`location /health {`
`26`	`29`	`access_log off;`
	`30`	`+ default_type text/plain;`
`27`	`31`	`return 200 "ok\n";`
`28`		`- add_header Content-Type text/plain;`
`29`	`32`	`}`
`30`	`33`
`31`	`34`	`# Gzip`