nsbp-cli 0.2.21 → 0.2.24

package/README.md

@@ -147,7 +147,7 @@ node ./bin/nsbp.js --help  # Test CLI locally
 
 - **Package Name**: `nsbp-cli`
 - **Bin Command**: `nsbp` (install globally and run `nsbp --help`)
-- **Version**: `0.2.21`
+- **Version**: `0.2.24`
 - **Dependencies**: chalk, commander, fs-extra, inquirer
 - **Package Manager**: Uses pnpm (also compatible with npm)
 - **Node Version**: >=16.0.0

package/bin/nsbp.js

@@ -21,7 +21,7 @@ program
   .command('create <project-name>')
   .description('Create a new NSBP project')
   .option('-t, --template <template>', 'Specify template (basic, blog, ecommerce)', 'basic')
-  .option('--skip-install', 'Skip npm install')
+  .option('--skip-install', 'Skip pnpm install')
   .action(async (projectName, options) => {
     console.log(chalk.cyan(`🚀 Creating NSBP project: ${projectName}`));
     
@@ -104,15 +104,10 @@ program
       // Create package.json for new project
       const originalPackage = require(path.join(templateSource, 'package.json'));
       const newPackage = {
+        ...originalPackage,
         name: projectName,
         version: '1.0.0',
-        description: `NSBP project: ${projectName}`,
-        scripts: originalPackage.scripts,
-        dependencies: originalPackage.dependencies,
-        devDependencies: originalPackage.devDependencies,
-        keywords: originalPackage.keywords,
-        author: originalPackage.author,
-        license: originalPackage.license
+        description: `NSBP project: ${projectName}`
       };
 
       fs.writeFileSync(
@@ -120,20 +115,43 @@ program
         JSON.stringify(newPackage, null, 2)
       );
 
+      // Remove package-lock.json if exists (use pnpm instead)
+      const packageLockPath = path.join(targetDir, 'package-lock.json');
+      if (fs.existsSync(packageLockPath)) {
+        fs.removeSync(packageLockPath);
+      }
+
+      // Create .npmignore to prevent package-lock.json from being committed
+      const npmignorePath = path.join(targetDir, '.npmignore');
+      if (!fs.existsSync(npmignorePath)) {
+        fs.writeFileSync(npmignorePath, 'package-lock.json\n');
+      }
+
       // Optionally install dependencies
       if (!options.skipInstall) {
+        // Check if pnpm is available
+        try {
+          execSync('which pnpm', { stdio: 'ignore' });
+        } catch {
+          console.error(chalk.red('❌ pnpm is not installed or not available in PATH.'));
+          console.error(chalk.yellow('Please install pnpm before continuing:'));
+          console.error(chalk.cyan('  npm install -g pnpm'));
+          console.error(chalk.yellow('Or use --skip-install flag to skip dependency installation.'));
+          process.exit(1);
+        }
+        
         console.log(chalk.cyan('📦 Installing dependencies...'));
         process.chdir(targetDir);
-        execSync('npm install', { stdio: 'inherit' });
+        execSync('pnpm install', { stdio: 'inherit' });
       }
 
       console.log(chalk.green(`✅ NSBP project "${projectName}" created successfully!`));
       console.log(chalk.yellow('\nNext steps:'));
       console.log(`  cd ${projectName}`);
       if (options.skipInstall) {
-        console.log('  npm install');
+        console.log('  pnpm install');
       }
-      console.log('  npm run dev');
+      console.log('  pnpm run dev');
       console.log(chalk.cyan('\nHappy coding! 🎉'));
 
     } catch (error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsbp-cli",
-  "version": "0.2.21",
+  "version": "0.2.24",
   "description": "CLI tool for creating NSBP (Node React SSR by Webpack) projects",
   "main": "index.js",
   "homepage": "https://nsbp.erishen.cn/",
@@ -17,7 +17,7 @@
     "start": "node ./bin/nsbp.js",
     "test": "echo \"Error: no test specified\" && exit 1",
     "sync-template": "node ./scripts/sync-template.js",
-    "update": "npm run sync-template",
+    "update": "pnpm run sync-template",
     "update-changelog": "node ./scripts/update-changelog.js",
     "changelog": "npx conventional-changelog -p angular -i CHANGELOG.md -s"
   },

package/templates/basic/Makefile

@@ -1,4 +1,4 @@
-.PHONY: help build dev prod down clean logs restart
+.PHONY: help build dev prod down clean logs restart env-dev env-prod env-local
 
 # Package manager detection
 PNPM := $(shell which pnpm)
@@ -19,48 +19,90 @@ help: ## Show this help message
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
 
 build: ## Build Docker images for production
-	$(COMPOSE) build
+	$(COMPOSE) -f docker/docker-compose.yml build
 
 build-dev: ## Build Docker images for development
-	$(COMPOSE) -f docker-compose.dev.yml build
+	$(COMPOSE) -f docker/docker-compose.dev.yml build
 
 dev: ## Start development environment (removes orphan containers)
-	$(COMPOSE) -f docker-compose.dev.yml up --build --remove-orphans
+	$(COMPOSE) -f docker/docker-compose.dev.yml up --build --remove-orphans
 
 prod: ## Start production environment (removes orphan containers)
-	$(COMPOSE) up -d --remove-orphans
+	$(COMPOSE) -f docker/docker-compose.yml up -d --remove-orphans
 
 down: ## Stop and remove containers (including orphan containers)
-	$(COMPOSE) down --remove-orphans
-	$(COMPOSE) -f docker-compose.dev.yml down --remove-orphans
+	$(COMPOSE) -f docker/docker-compose.yml down --remove-orphans
+	$(COMPOSE) -f docker/docker-compose.dev.yml down --remove-orphans
 
 clean: ## Stop containers, remove images and volumes (including orphan containers)
-	$(COMPOSE) down -v --rmi all --remove-orphans
-	$(COMPOSE) -f docker-compose.dev.yml down -v --rmi all --remove-orphans
+	$(COMPOSE) -f docker/docker-compose.yml down -v --rmi all --remove-orphans
+	$(COMPOSE) -f docker/docker-compose.dev.yml down -v --rmi all --remove-orphans
 
 logs: ## View logs
-	$(COMPOSE) logs -f
+	$(COMPOSE) -f docker/docker-compose.yml logs -f
 
 logs-dev: ## View development logs
-	$(COMPOSE) -f docker-compose.dev.yml logs -f
+	$(COMPOSE) -f docker/docker-compose.dev.yml logs -f
 
 restart: ## Restart production containers
-	$(COMPOSE) restart
+	$(COMPOSE) -f docker/docker-compose.yml restart
 
 restart-dev: ## Restart development containers
-	$(COMPOSE) -f docker-compose.dev.yml restart
+	$(COMPOSE) -f docker/docker-compose.dev.yml restart
 
 rebuild: ## Rebuild and restart production containers (removes orphan containers)
-	$(COMPOSE) up -d --build --remove-orphans
+	$(COMPOSE) -f docker/docker-compose.yml up -d --build --remove-orphans
 
 rebuild-dev: ## Rebuild and restart development containers (removes orphan containers)
-	$(COMPOSE) -f docker-compose.dev.yml up -d --build --remove-orphans
+	$(COMPOSE) -f docker/docker-compose.dev.yml up -d --build --remove-orphans
 
 shell: ## Open shell in production container
-	$(COMPOSE) exec app sh
+	$(COMPOSE) -f docker/docker-compose.yml exec app sh
 
 shell-dev: ## Open shell in development container
-	$(COMPOSE) -f docker-compose.dev.yml exec app sh
+	$(COMPOSE) -f docker/docker-compose.dev.yml exec app sh
 
 test: ## Run tests (if configured)
-	$(COMPOSE) exec app npm test
+	$(COMPOSE) -f docker/docker-compose.yml exec app $(PM) test
+
+env-dev: ## Set up development environment
+	@if [ -f .env.development ]; then \
+		cp .env.development .env && \
+		echo -e "\033[0;32m✅ 开发环境已配置 (.env)\033[0m"; \
+	else \
+		echo -e "\033[0;33m⚠️  .env.development 不存在\033[0m"; \
+	fi
+
+env-prod: ## Set up production environment
+	@if [ -f .env.production ]; then \
+		cp .env.production .env && \
+		echo -e "\033[0;32m✅ 生产环境已配置 (.env)\033[0m"; \
+	else \
+		echo -e "\033[0;33m⚠️  .env.production 不存在\033[0m"; \
+	fi
+
+env-local: ## Set up local environment with sensitive data
+	@if [ ! -f .env.local ]; then \
+		echo "# Local environment (contains sensitive data)" > .env.local && \
+		echo "# DO NOT commit this file to Git" >> .env.local && \
+		echo -e "\033[0;32m✅ .env.local 已创建\033[0m"; \
+		echo "请编辑 .env.local 添加敏感信息"; \
+	else \
+		echo -e "\033[0;33m⚠️  .env.local 已存在\033[0m"; \
+	fi
+
+show-env: ## Show current environment variables
+	@echo "========================================="
+	@echo "当前环境变量配置"
+	@echo "========================================="
+	@echo ""
+	@if [ -f .env ]; then \
+		echo "📄 .env 文件内容："; \
+		cat .env | grep -v "^#" | grep -v "^$$"; \
+	else \
+		echo "⚠️  .env 文件不存在"; \
+	fi
+	@echo ""
+	@if [ -f .env.local ]; then \
+		echo "📄 .env.local 文件存在（包含敏感信息）"; \
+	fi

package/templates/basic/README.md

@@ -2,10 +2,88 @@
 
 🌐 **Online Demo**: [https://nsbp.erishen.cn/](https://nsbp.erishen.cn/)
 
+## 环境变量配置
+
+### 快速开始
+
+```bash
+# 1. 复制环境变量模板
+cp .env.example .env
+
+# 2. 根据需要编辑 .env 文件
+# 编辑 NODE_ENV、PORT、ENABLE_RATE_LIMIT 等
+
+# 3. 开始开发或部署
+pnpm run dev              # 本地开发
+docker-compose up -d         # Docker 部署
+```
+
+### 环境变量说明
+
+| 变量名 | 默认值 | 说明 | 推荐环境 |
+|-------|--------|------|---------|
+| `NODE_ENV` | development | 运行环境 (development/production) | 全部 |
+| `PORT` | 3001 | 服务端口 | 全部 |
+| `ENABLE_RATE_LIMIT` | 0 | 启用速率限制 (1=启用, 0=禁用) | 生产环境 |
+| `DEBUG` | - | 启用调试日志 | 开发环境 |
+| `TZ` | Asia/Shanghai | 时区配置 | 生产环境 |
+
+### 配置文件说明
+
+- **`.env.example`** - 环境变量模板（提交到 Git）
+- **`.env`** - 本地开发配置（不提交到 Git）
+- **`.env.production`** - 生产环境配置（不提交到 Git）
+- **`.env.development`** - 开发环境配置（不提交到 Git）
+- **`.env.local`** - 本地敏感信息（最高优先级，不提交到 Git）
+
+### 配置优先级
+
+```
+.env.local > .env > docker-compose.yml 默认值
+```
+
+### 本地开发配置
+
+```bash
+# 复制开发环境配置
+cp .env.development .env
+
+# 或手动创建 .env 文件
+cat > .env << EOF
+NODE_ENV=development
+PORT=3001
+ENABLE_RATE_LIMIT=0
+EOF
+
+# 启动开发环境
+pnpm run dev
+```
+
+### Docker 部署配置
+
+```bash
+# 生产环境配置
+cp .env.production .env
+
+# Docker Compose 会自动读取 .env 文件
+docker-compose up -d
+
+# 查看环境变量是否生效
+docker-compose exec app env | grep NODE_ENV
+```
+
+### 敏感信息管理
+
+**重要：**
+- ✅ `.env.example` 可以提交到 Git（模板文件）
+- ❌ `.env`、`.env.local` 不要提交到 Git（已在 .gitignore 中）
+- ✅ 敏感信息（密钥、数据库密码）放在 `.env.local` 中
+- ✅ `.env.local` 会覆盖其他配置，优先级最高
+
 ## 开发
-- npm run dev   (开发运行)
-- npm run build (生产编译)
-- npm start     (生产运行)
+- pnpm run dev   (开发运行)
+- pnpm run build (生产编译)
+- pnpm start     (生产运行)
 
 ### 本地访问
 
@@ -141,6 +219,80 @@ make rebuild-dev   # 重新构建并启动开发环境
 
 - `NODE_ENV`: 运行环境 (production/development)
 - `PORT`: 服务端口 (默认 3001)
+- `ENABLE_RATE_LIMIT`: 启用速率限制 (1=启用，0=禁用，默认禁用)
+
+## 安全特性
+
+NSBP 内置了多层安全防护，默认启用生产级安全配置：
+
+### 已启用的安全措施
+
+#### 1. **HTTP 头部安全 (Helmet)**
+- Content Security Policy (CSP): 防止 XSS 攻击
+- X-Frame-Options: 防止点击劫持
+- X-Content-Type-Options: 防止 MIME 类型嗅探
+- Strict-Transport-Security: 强制 HTTPS
+- X-XSS-Protection: XSS 保护
+- Referrer-Policy: 控制引用信息
+
+#### 2. **静态文件安全**
+- ✅ 禁止访问 `.env`、`.git` 等敏感文件
+- ✅ 静态资源缓存优化（1 年缓存）
+- ✅ 请求体大小限制（10MB）
+
+#### 3. **技术栈隐藏**
+- ✅ 移除 `X-Powered-By` 头部
+- ✅ 不暴露 Express 版本信息
+
+#### 4. **速率限制 (可选)**
+- ✅ 15 分钟内最多 100 次请求
+- ✅ 自动限流恶意 IP
+- ✅ 可通过环境变量启用/禁用
+
+### 启用速率限制
+
+在生产环境中，建议启用速率限制以防止 DDoS 攻击：
+
+**Docker 方式：**
+```bash
+# docker-compose.yml 中添加
+environment:
+  - ENABLE_RATE_LIMIT=1
+```
+
+**本地开发方式：**
+```bash
+# .env 文件
+ENABLE_RATE_LIMIT=1
+
+# 或命令行
+ENABLE_RATE_LIMIT=1 pnpm start
+```
+
+### 安全最佳实践
+
+#### 生产环境建议
+1. ✅ **启用 HTTPS**: 使用反向代理（Nginx/Apache）配置 SSL
+2. ✅ **启用速率限制**: 防止暴力攻击和 DDoS
+3. ✅ **设置强密码**: 数据库、API 密钥等
+4. ✅ **定期更新依赖**: `pnpm update`
+5. ✅ **配置防火墙**: 限制入站流量
+
+#### 开发环境
+- ✅ 默认配置已足够
+- ❌ 不建议启用速率限制（影响开发效率）
+- ✅ 保留详细错误日志便于调试
+
+### 安全检查清单
+
+部署前请确认：
+- [ ] 已安装最新依赖 (`pnpm install`)
+- [ ] 环境变量已配置（NODE_ENV=production）
+- [ ] HTTPS 已配置
+- [ ] 敏感信息（密钥、数据库密码）已移出代码库
+- [ ] 速率限制已启用（生产环境）
+- [ ] 静态文件访问已测试
+- [ ] CSP 策略已测试（检查控制台错误）
 
 ### CLI 发布
 

package/templates/basic/{webpack.base.js → config/webpack.base.js}

@@ -2,7 +2,7 @@ const path = require('path')
 const MiniCssExtractPlugin = require('mini-css-extract-plugin')
 const CssMinimizerPlugin = require('css-minimizer-webpack-plugin')
 const TerserPlugin = require('terser-webpack-plugin')
-const { version } = require('./package.json')
+const { version } = require('../package.json')
 const LoadablePlugin = require('@loadable/webpack-plugin')
 const { createLoadableComponentsTransformer } = require('typescript-loadable-components-plugin')
 const BrowserSyncPlugin = require('browser-sync-webpack-plugin')
@@ -54,7 +54,7 @@ module.exports = ({ mode, entry, server, init }) => {
                 logInfoToStdOut: true,
                 logLevel: 'info',
                 transpileOnly: true,
-                configFile: path.resolve(__dirname, './tsconfig.json'),
+                configFile: path.resolve(__dirname, '../tsconfig.json'),
                 getCustomTransformers: (program) => {
                   // console.log('getCustomTransformers', program)
 

package/templates/basic/{webpack.client.js → config/webpack.client.js}

@@ -1,7 +1,7 @@
 const path = require('path') //node的path模块
 const { merge } = require('webpack-merge')
 const config = require('./webpack.base.js')
-const { version } = require('./package.json')
+const { version } = require('../package.json')
 
 const server = false
 
@@ -12,7 +12,7 @@ const entry = {
 const clientConfig = {
   output: {
     //打包出口
-    path: path.resolve(__dirname, 'public'),
+    path: path.resolve(__dirname, '../public'),
     filename: ({ chunk }) => {
       const { name } = chunk
       // console.log('name', name)

package/templates/basic/{webpack.server.js → config/webpack.server.js}

@@ -2,7 +2,7 @@ const path = require('path') //node的path模块
 const nodeExternals = require('webpack-node-externals')
 const { merge } = require('webpack-merge')
 const config = require('./webpack.base.js')
-const { version } = require('./package.json')
+const { version } = require('../package.json')
 
 const init = process.env.INIT || 0
 const server = true
@@ -18,12 +18,12 @@ const serverConfig = {
   output: {
     //打包出口
     filename: `bundle.${version}.js`, //打包后的文件名
-    path: path.resolve(__dirname, 'build'), //存放到根目录的build文件夹
+    path: path.resolve(__dirname, '../build'), //存放到根目录的build文件夹
     clean: true,
     libraryTarget: 'commonjs2'
   },
   externals: [
-    '@loadable/component', 
+    '@loadable/component',
     nodeExternals()
   ] //保持node中require的引用方式
 }

package/templates/basic/{Dockerfile → docker/Dockerfile}

@@ -16,7 +16,7 @@ RUN npm install -g pnpm && pnpm install
 COPY . .
 
 # Build application
-RUN npm run build
+RUN pnpm run build
 
 # Stage 2: Production
 FROM node:20-alpine AS production
@@ -43,7 +43,7 @@ COPY --from=builder /app/public ./public
 
 # Copy scripts and config
 COPY --from=builder /app/scripts ./scripts
-COPY --from=builder /app/tsconfig.json ./
+COPY --from=builder /app/tsconfig.json ./tsconfig.json
 
 # Change ownership
 RUN chown -R nodejs:nodejs /app

package/templates/basic/{Dockerfile.dev → docker/Dockerfile.dev}

@@ -49,4 +49,4 @@ EXPOSE 3001
 ENTRYPOINT ["/entrypoint.sh"]
 
 # Start development server
-CMD ["dumb-init", "--", "npm", "run", "dev"]
+CMD ["dumb-init", "--", "pnpm", "run", "dev"]

package/templates/basic/{docker-compose.dev.yml → docker/docker-compose.dev.yml}

@@ -1,29 +1,34 @@
+# 从 .env 文件读取环境变量（如果存在）
+# 开发环境配置优先级：.env > docker-compose.dev.yml 默认值
+
 services:
   app:
     build:
-      context: .
-      dockerfile: Dockerfile.dev
+      context: ..
+      dockerfile: docker/Dockerfile.dev
     container_name: nsbp-app-dev
     ports:
       - "3001:3001"
       - "9229:9229"  # Node.js debug port
     environment:
-      - NODE_ENV=development
-      - PORT=3001
+      - NODE_ENV=${NODE_ENV:-development}
+      - PORT=${PORT:-3001}
+      # 开发环境默认禁用速率限制，如需启用可在 .env 中设置
+      - ENABLE_RATE_LIMIT=${ENABLE_RATE_LIMIT:-0}
     volumes:
       # Mount source code for hot reload
       - ./src:/app/src
       - ./public:/app/public
       - ./scripts:/app/scripts
-      - ./webpack.base.js:/app/webpack.base.js
-      - ./webpack.client.js:/app/webpack.client.js
-      - ./webpack.server.js:/app/webpack.server.js
+      - ./config/webpack.base.js:/app/config/webpack.base.js
+      - ./config/webpack.client.js:/app/config/webpack.client.js
+      - ./config/webpack.server.js:/app/config/webpack.server.js
       - ./tsconfig.json:/app/tsconfig.json
       # Persist node_modules
       - node_modules:/app/node_modules
       # Build output - named volume for persistence
       - build_output:/app/build
-    command: ["dumb-init", "--", "npm", "run", "dev"]
+    command: ["dumb-init", "--", "pnpm", "run", "dev"]
     restart: unless-stopped
     networks:
       - nsbp-network

package/templates/basic/{docker-compose.yml → docker/docker-compose.yml}

@@ -1,14 +1,18 @@
+# 从 .env 文件读取环境变量（如果存在）
+# 生产环境配置优先级：.env > docker-compose.yml 默认值
+
 services:
   app:
     build:
-      context: .
-      dockerfile: Dockerfile
+      context: ..
+      dockerfile: docker/Dockerfile
     container_name: nsbp-app
     ports:
       - "8091:3001"
     environment:
-      - NODE_ENV=production
-      - PORT=3001
+      - NODE_ENV=${NODE_ENV:-production}
+      - PORT=${PORT:-3001}
+      - ENABLE_RATE_LIMIT=${ENABLE_RATE_LIMIT:-1}
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "node", "-e", "require('http').get('http://localhost:3001', (r) => {process.exit(r.statusCode === 200 ? 0 : 1)})"]

package/templates/basic/gitignore

@@ -23,6 +23,8 @@ public/*.json
 .env
 .env.local
 .env.*.local
+.env.development
+.env.production
 
 # Logs
 logs

package/templates/basic/package.json

@@ -3,16 +3,16 @@
   "version": "1.0.0",
   "description": "node react ssr by webpack",
   "main": "index.js",
-  "homepage": "https://nsbp.erishen.cn/",
+  "homepage": "https://nsbp.erishen.cn",
   "scripts": {
     "dev": "npm-run-all -l -s dev:init -p dev:build:*",
-    "dev:init": "cross-env INIT=1 webpack --config webpack.server.js --mode development",
-    "dev:build:server": "webpack --config webpack.server.js --mode development --watch",
-    "dev:build:client": "webpack --config webpack.client.js --mode development --watch",
+    "dev:init": "cross-env INIT=1 webpack --config config/webpack.server.js --mode development",
+    "dev:build:server": "webpack --config config/webpack.server.js --mode development --watch",
+    "dev:build:client": "webpack --config config/webpack.client.js --mode development --watch",
     "dev:build:start": "node ./scripts/start.js",
-    "build": "npm run clean && npm-run-all -l -p build:**",
-    "build:server": "webpack --config webpack.server.js --mode production",
-    "build:client": "webpack --config webpack.client.js --mode production",
+    "build": "pnpm run clean && npm-run-all -l -p build:**",
+    "build:server": "webpack --config config/webpack.server.js --mode production",
+    "build:client": "webpack --config config/webpack.client.js --mode production",
     "start": "node ./scripts/start.js",
     "clean": "rimraf build && rimraf public/js && rimraf public/css && rimraf public/client.* && rimraf public/*.js && rimraf public/*.js.map && rimraf public/*.txt && rimraf public/*.json && rimraf .temp_cache",
     "format": "prettier --write **/*.{js,css,less,scss,ts,tsx}",
@@ -29,6 +29,7 @@
   ],
   "author": "Erishen Sun",
   "license": "ISC",
+  "packageManager": "pnpm@10.27.0",
   "dependencies": {
     "@loadable/component": "^5.15.0",
     "@loadable/server": "^5.15.0",
@@ -36,7 +37,9 @@
     "@reduxjs/toolkit": "^2.11.2",
     "axios": "^1.7.0",
     "express": "^5.2.1",
+    "express-rate-limit": "^8.2.0",
     "framer-motion": "^12.25.0",
+    "helmet": "^8.1.0",
     "lodash": "^4.17.21",
     "probe-image-size": "^7.1.0",
     "react": "^19.2.3",

package/templates/basic/public/favicon.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+  <defs>
+    <linearGradient id="gradient" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#2563eb" />
+      <stop offset="100%" stop-color="#1d4ed8" />
+    </linearGradient>
+  </defs>
+  <rect width="100" height="100" rx="20" fill="url(#gradient)" />
+  <text x="50" y="68" font-family="Arial, sans-serif" font-size="60" font-weight="bold" text-anchor="middle" fill="white">N</text>
+</svg>

package/templates/basic/public/site.webmanifest

@@ -0,0 +1,20 @@
+{
+  "name": "Nsbp.js - 轻量级 React SSR 框架",
+  "short_name": "Nsbp.js",
+  "description": "轻量级 React SSR 框架，专为低资源部署与高度可定制场景而生",
+  "icons": [
+    {
+      "src": "/favicon-192x192.png",
+      "sizes": "192x192",
+      "type": "image/png"
+    },
+    {
+      "src": "/favicon-512x512.png",
+      "sizes": "512x512",
+      "type": "image/png"
+    }
+  ],
+  "theme_color": "#2563eb",
+  "background_color": "#ffffff",
+  "display": "standalone"
+}

package/templates/basic/scripts/verify-dev.sh

@@ -20,7 +20,7 @@ else
     echo ""
     echo "启动命令："
     echo "  make dev"
-    echo "  docker-compose -f docker-compose.dev.yml up -d --build"
+    echo "  docker-compose -f docker/docker-compose.dev.yml up -d --build"
     exit 1
 fi
 
@@ -35,7 +35,7 @@ fi
 
 echo ""
 echo "3. 检查权限错误..."
-if docker-compose -f docker-compose.dev.yml logs 2>&1 | grep -q "EACCES"; then
+if docker-compose -f docker/docker-compose.dev.yml logs 2>&1 | grep -q "EACCES"; then
     echo -e "${RED}❌ 发现权限错误${NC}"
     echo ""
     echo "最近的权限错误："
@@ -46,7 +46,7 @@ fi
 
 echo ""
 echo "4. 检查构建状态..."
-if docker-compose -f docker-compose.dev.yml logs 2>&1 | grep -q "compiled successfully"; then
+if docker-compose -f docker/docker-compose.dev.yml logs 2>&1 | grep -q "compiled successfully"; then
     echo -e "${GREEN}✅ 构建完成${NC}"
 else
     echo -e "${YELLOW}⚠️  构建中或未开始${NC}"
@@ -54,7 +54,7 @@ fi
 
 echo ""
 echo "5. 检查服务器监听..."
-if docker-compose -f docker-compose.dev.yml logs 2>&1 | grep -q "listening"; then
+if docker-compose -f docker/docker-compose.dev.yml logs 2>&1 | grep -q "listening"; then
     echo -e "${GREEN}✅ 服务器正在监听${NC}"
 else
     echo -e "${YELLOW}⚠️  服务器尚未启动监听${NC}"
@@ -69,9 +69,9 @@ echo "访问应用："
 echo "  http://localhost:3001"
 echo ""
 echo "查看日志："
-echo "  docker-compose -f docker-compose.dev.yml logs -f"
+echo "  docker-compose -f docker/docker-compose.dev.yml logs -f"
 echo ""
 echo "停止服务："
 echo "  make down"
-echo "  docker-compose -f docker-compose.dev.yml down"
+echo "  docker-compose -f docker/docker-compose.dev.yml down"
 echo ""

package/templates/basic/scripts/verify-security.sh

@@ -0,0 +1,124 @@
+#!/bin/bash
+
+echo "========================================="
+echo "NSBP 安全功能验证"
+echo "========================================="
+echo ""
+
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+# 检查依赖
+echo "1. 检查安全依赖安装..."
+if grep -q '"helmet"' package.json && grep -q '"express-rate-limit"' package.json; then
+    echo -e "${GREEN}✅ helmet 和 express-rate-limit 已安装${NC}"
+else
+    echo -e "${RED}❌ 缺少安全依赖${NC}"
+    exit 1
+fi
+
+echo ""
+
+# 检查服务器代码
+echo "2. 检查服务器代码安全配置..."
+if grep -q "helmet(" src/server/index.ts; then
+    echo -e "${GREEN}✅ Helmet 已启用${NC}"
+else
+    echo -e "${RED}❌ Helmet 未配置${NC}"
+fi
+
+if grep -q "rateLimit" src/server/index.ts; then
+    echo -e "${GREEN}✅ 速率限制已配置（可选）${NC}"
+else
+    echo -e "${RED}❌ 速率限制未配置${NC}"
+fi
+
+if grep -q "dotfiles: 'ignore'" src/server/index.ts; then
+    echo -e "${GREEN}✅ dotfiles 访问已禁用${NC}"
+else
+    echo -e "${RED}⚠️  dotfiles 配置需要检查${NC}"
+fi
+
+if grep -q "disable('x-powered-by')" src/server/index.ts; then
+    echo -e "${GREEN}✅ X-Powered-By 已隐藏${NC}"
+else
+    echo -e "${RED}❌ X-Powered-By 未隐藏${NC}"
+fi
+
+if grep -q "express.json.*limit" src/server/index.ts && grep -q "express.urlencoded.*limit" src/server/index.ts; then
+    echo -e "${GREEN}✅ 请求体大小限制已配置${NC}"
+else
+    echo -e "${RED}❌ 请求体大小限制未配置${NC}"
+fi
+
+echo ""
+
+# 检查 CSP 配置
+echo "3. 检查 Content Security Policy..."
+if grep -q "contentSecurityPolicy" src/server/index.ts; then
+    echo -e "${GREEN}✅ CSP 已配置${NC}"
+    if grep -q "defaultSrc.*'self'" src/server/index.ts; then
+        echo -e "${GREEN}   - default-src: 'self'${NC}"
+    fi
+    if grep -q "scriptSrc" src/server/index.ts; then
+        echo -e "${GREEN}   - script-src 已配置${NC}"
+    fi
+    if grep -q "styleSrc" src/server/index.ts; then
+        echo -e "${GREEN}   - style-src 已配置${NC}"
+    fi
+    if grep -q "imgSrc.*https:" src/server/index.ts; then
+        echo -e "${GREEN}   - img-src 允许 HTTPS${NC}"
+    fi
+else
+    echo -e "${RED}❌ CSP 未配置${NC}"
+fi
+
+echo ""
+
+# 检查文档
+echo "4. 检查安全文档..."
+if grep -q "## 安全特性" README.md; then
+    echo -e "${GREEN}✅ 安全章节已添加到 README${NC}"
+else
+    echo -e "${YELLOW}⚠️  建议添加安全章节到 README${NC}"
+fi
+
+echo ""
+
+# 统计
+echo "========================================="
+echo "安全配置统计"
+echo "========================================="
+
+TOTAL_CHECKS=7
+PASSED_CHECKS=0
+
+# 统计通过项
+grep -q '"helmet"' package.json && grep -q '"express-rate-limit"' package.json && ((PASSED_CHECKS++))
+grep -q "helmet(" src/server/index.ts && ((PASSED_CHECKS++))
+grep -q "dotfiles: 'ignore'" src/server/index.ts && ((PASSED_CHECKS++))
+grep -q "disable('x-powered-by')" src/server/index.ts && ((PASSED_CHECKS++))
+grep -q "express.json.*limit" src/server/index.ts && ((PASSED_CHECKS++))
+grep -q "contentSecurityPolicy" src/server/index.ts && ((PASSED_CHECKS++))
+grep -q "## 安全特性" README.md && ((PASSED_CHECKS++))
+
+SCORE=$(( PASSED_CHECKS * 100 / TOTAL_CHECKS ))
+
+echo -e "通过率: ${PASSED_CHECKS}/${TOTAL_CHECKS} (${YELLOW}${SCORE}%${NC})"
+echo ""
+
+if [ $SCORE -eq 100 ]; then
+    echo -e "${GREEN}🎉 所有安全检查通过！${NC}"
+    echo "项目已达到生产级安全标准。"
+elif [ $SCORE -ge 70 ]; then
+    echo -e "${YELLOW}✅ 安全配置良好${NC}"
+    echo "建议检查未通过的项目。"
+else
+    echo -e "${RED}⚠️  安全配置需要改进${NC}"
+    echo "请检查上述未通过的项目。"
+fi
+
+echo ""
+echo "========================================="

package/templates/basic/src/containers/Home.tsx

@@ -369,7 +369,7 @@ export const getPhotoMenu = (req: any, res: any) => {
 
               <QuickStartCard>
                 <QuickStartTitle>2️⃣ 启动开发</QuickStartTitle>
-                <QuickStartCode>$ npm run dev</QuickStartCode>
+                <QuickStartCode>$ pnpm run dev</QuickStartCode>
                 <QuickStartDescription>
                   启动开发服务器，默认端口 3001
                 </QuickStartDescription>

package/templates/basic/src/server/index.ts

@@ -1,12 +1,62 @@
 import express from 'express'
+import helmet from 'helmet'
+import rateLimit from 'express-rate-limit'
 import { render } from './utils'
 import { getPhotoWH, getPhotoMenu } from './photo'
 import { useCurrentFlag, outPhotoDicPath } from '../utils/config'
 
 const app = express()
 
-app.use(express.static('public', { dotfiles: 'allow' }))
-!useCurrentFlag && app.use(express.static(outPhotoDicPath, { dotfiles: 'allow' }))
+// 1. Security headers (helmet)
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      connectSrc: ["'self'", "https:"],
+      fontSrc: ["'self'", "data:"],
+      objectSrc: ["'none'"],
+      mediaSrc: ["'self'"],
+      frameSrc: ["'none'"],
+    },
+  },
+  crossOriginEmbedderPolicy: false, // Allow inline scripts for SSR
+  crossOriginOpenerPolicy: false, // Allow window.open for development
+}))
+
+// 2. Hide X-Powered-By header
+app.disable('x-powered-by')
+
+// 3. Rate limiting (optional, controlled by environment variable)
+if (process.env.ENABLE_RATE_LIMIT === '1') {
+  const limiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // Limit each IP to 100 requests per windowMs
+    message: 'Too many requests from this IP, please try again later.',
+    standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+    legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+  })
+  app.use('/api', limiter)
+  console.log('🛡️ Rate limiting enabled for /api routes')
+}
+
+// 4. Static file serving (disable dotfiles access)
+app.use(express.static('public', { 
+  dotfiles: 'ignore',
+  setHeaders: (res, filePath) => {
+    // Cache static assets for 1 year
+    if (filePath.match(/\.(js|css|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf|eot)$/)) {
+      res.setHeader('Cache-Control', 'public, max-age=31536000, immutable')
+    }
+  }
+}))
+!useCurrentFlag && app.use(express.static(outPhotoDicPath, { dotfiles: 'ignore' }))
+
+// 5. Body parsing with size limits
+app.use(express.json({ limit: '10mb' }))
+app.use(express.urlencoded({ limit: '10mb', extended: true }))
 
 //使用express提供的static中间件,中间件会将所有静态文件的路由指向public文件夹
 
@@ -27,4 +77,8 @@ app.use((req, res) => {
 const PORT = process.env.PORT || 3001
 app.listen(PORT, () => {
   console.log(`Server listening on port ${PORT}`)
+  console.log(`🔒 Security headers enabled`)
+  if (process.env.ENABLE_RATE_LIMIT === '1') {
+    console.log(`🚦 Rate limiting active`)
+  }
 })

package/templates/basic/src/server/utils.tsx

@@ -116,6 +116,13 @@ export const render = (req: any, res: any) => {
               <html>
                   <head>
                       <meta charset="utf-8">
+                      <link rel="icon" type="image/x-icon" href="/favicon.ico">
+                      <link rel="icon" type="image/svg+xml" href="/favicon.svg">
+                      <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">
+                      <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
+                      <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
+                      <link rel="manifest" href="/site.webmanifest">
+                      <meta name="theme-color" content="#2563eb">
                       ${helmet?.title?.toString()}
                       ${helmet?.meta?.toString()}
                       ${styleTags}