feat: Implement onlyPOST configuration to restrict API to POST requests and enhance security measures

fix: Update base URLs in documentation and examples to reflect new server configuration
chore: Add favicon and logo SVG assets for improved branding
test: Add integration tests for onlyPOST functionality to ensure correct behavior

Author: xdan

.github/workflows/connector.yml

@@ -65,6 +65,22 @@ jobs:
           cache-from: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/jodit-nodejs:latest
           cache-to: type=inline
 
+      - name: Image digest
+        run: echo ${{ steps.docker.outputs.digest }}
+
+      - name: Executing remote ssh commands server1.xdsoft.net
+        uses: appleboy/ssh-action@master
+        with:
+            host: ${{ secrets.HOST_SERVER }}
+            username: ${{ secrets.USERNAME_SERVER }}
+            key: ${{ secrets.SSH_PRIVATE_KEY }}
+            port: ${{ secrets.PORT }}
+            script: docker system prune -f -a &&
+                cd /var/www/xdsoft &&
+                docker compose pull jodit-nodejs &&
+                docker compose restart jodit-nodejs &&
+                docker compose up -d jodit-nodejs --force-recreate
+
   publish:
     runs-on: ubuntu-latest
     needs: test

.gitignore

@@ -9,4 +9,7 @@ dist/docs/
 _thumbs
 files/test
 old-api
-docs/.venv/
+docs/.venv/
+
+CLAUDE.md
+.claude

README.md

@@ -68,7 +68,8 @@ await start({
         name: 'uploads',
         title: 'User Uploads',
         root: '/var/www/uploads',
-        baseurl: 'http://localhost:8081/uploads/'
+        // NGINX or CDN base URL for accessing files
+        baseurl: 'http://localhost:8080/uploads/'
       }
     }
   }
@@ -101,6 +102,34 @@ await start({
 });
 ```
 
+### Security: POST-only Mode
+
+For enhanced security, you can restrict the API to only accept POST requests:
+
+```typescript
+import { start } from 'jodit-nodejs';
+
+await start({
+  port: 8081,
+  config: {
+    onlyPOST: true,  // Block all GET requests
+    sources: {
+      uploads: {
+        name: 'uploads',
+        title: 'User Uploads',
+        root: '/var/www/uploads',
+        baseurl: 'http://localhost:8080/uploads/'
+      }
+    }
+  }
+});
+```
+
+When `onlyPOST` is enabled:
+- All GET requests return 405 Method Not Allowed
+- Provides protection against CSRF attacks
+- Prevents parameter leakage in server logs
+
 ## Documentation
 
 📖 **[Complete Documentation](https://jodit.github.io/jodit-nodejs/)** - Full documentation with guides and API reference
@@ -127,6 +156,7 @@ await start({
 - ✅ **Document generation** - PDF and DOCX from HTML
 - ✅ **Access control** - role-based permissions, path restrictions
 - ✅ **Authentication** - cookie, JWT, express-session support
+- ✅ **Security** - POST-only mode, CSRF protection
 - ✅ **Express integration** - standalone or integrate with existing apps
 - ✅ **Custom storage** - local filesystem, S3, Azure, Google Cloud, etc.
 - ✅ **TypeScript** - full type safety with strict typing

docs/assets/images/favicon.svg

@@ -24,7 +24,8 @@ const customConfig: Partial<AppConfig> = {
     myfiles: {
       title: 'My Files',
       root: '/path/to/files',
-      baseurl: 'http://localhost:8081/files/'
+        // NGINX or CDN base URL for accessing files
+        baseurl: 'http://localhost:8080/uploads/'
     }
   }
 };
@@ -74,7 +75,8 @@ async function startWithConfig() {
       myfiles: {
         title: 'My Files',
         root: '/path/to/files',
-        baseurl: 'http://localhost:8081/files/'
+        // NGINX or CDN base URL for accessing files
+        baseurl: 'http://localhost:8080/uploads/'
       }
     }
   };
@@ -149,7 +151,8 @@ const customConfig = {
     myfiles: {
       title: 'My Files',
       root: '/path/to/files',
-      baseurl: 'http://localhost:8081/files/'
+        // NGINX or CDN base URL for accessing files
+        baseurl: 'http://localhost:8080/uploads/'
     }
   }
 };
@@ -209,7 +212,7 @@ node examples/with-express-session.js
 ## Next Steps
 
 - **[Express Integration](./express-integration.md)** - Integrate with existing Express apps
-- **[API Reference](./api-reference.md)** - Complete API endpoints documentation
+- **[API Reference](./api.md)** - Complete API endpoints documentation
 - **[Authentication](./authentication.md)** - Set up authentication methods
 - **[Access Control](./access-control.md)** - Configure permissions and ACL rules
 - **[Configuration](./config.md)** - Explore all configuration options

docs/assets/images/jodit-icon-simple.svg

@@ -38,7 +38,7 @@ await start({
       uploads: {
         title: 'Uploads',
         root: '/path/to/files',
-        baseurl: 'http://localhost:8081/files/'
+        baseurl: 'http://localhost:8080/files/'
       }
     }
   }
@@ -941,6 +941,53 @@ class CustomAccessControl implements IAccessControl {
 }
 ```
 
+### `onlyPOST`
+- **Type**: `boolean`
+- **Default**: `false`
+- **Used**: ✅ Yes
+- **Purpose**: Restrict API to only accept POST requests
+- **Usage**: When `true`, all GET requests will be blocked with 405 Method Not Allowed
+- **Security**: Useful for preventing CSRF attacks and ensuring all API calls use POST method
+
+**Example**:
+```typescript
+{
+  onlyPOST: true  // Block all GET requests, only allow POST
+}
+```
+
+**Why use `onlyPOST`?**
+
+By default, Jodit Connector accepts both GET and POST requests. However, in some scenarios you may want to force all requests to use POST method:
+
+1. **CSRF Protection**: GET requests can be triggered from any webpage (via `<img>` tags, `<script>` tags, etc.). By requiring POST, you ensure requests must come from your application's forms.
+
+2. **Security Compliance**: Some security policies require all API mutations to use POST method.
+
+3. **Parameter Privacy**: POST request bodies are not logged in web server access logs, unlike GET query parameters.
+
+When `onlyPOST` is enabled:
+- All GET requests return 405 Method Not Allowed error
+- POST requests continue to work normally
+- This applies to all endpoints including `/ping`
+
+**Client-side configuration** (Jodit editor):
+
+```javascript
+Jodit.make('#editor', {
+  uploader: {
+    url: 'http://localhost:8081/',
+    method: 'POST'  // Always use POST when onlyPOST is enabled
+  },
+  filebrowser: {
+    ajax: {
+      url: 'http://localhost:8081/',
+      method: 'POST'  // Always use POST when onlyPOST is enabled
+    }
+  }
+});
+```
+
 ### `allowReplaceSourceFile`
 - **Type**: `boolean`
 - **Default**: `true`
@@ -1021,7 +1068,7 @@ The following parameters are defined in the configuration but are **not currentl
       name: 'default',
       title: 'Files',
       root: '/var/www/files',
-      baseurl: 'http://localhost:8081/files/'
+      baseurl: 'http://localhost:8080/files/'
     }
   }
 }
@@ -1088,7 +1135,7 @@ The following parameters are defined in the configuration but are **not currentl
       name: 'fast',
       title: 'Fast Storage',
       root: '/ssd/files',
-      baseurl: 'http://localhost:8081/files/'
+      baseurl: 'http://localhost:8080/files/'
     }
   }
 }

docs/assets/images/jodit-icon.svg

@@ -163,7 +163,7 @@ start({
       uploads: {
         title: 'Uploads',
         root: '/path/to/files',
-        baseurl: 'http://localhost:8081/files/'
+        baseurl: 'http://localhost:8080/files/'
       }
     }
   }