refactor: remove CDN_HOST references from Dockerfiles and entrypoint, streamline asset loading configuration

Dockerfile.fips.standalone-infisical

@@ -2,8 +2,6 @@ ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key
-# CDN HOST placeholder - replaced at container startup with actual CDN_HOST env var
-ARG CDN_HOST=__INFISICAL_CDN_HOST__
 
 FROM node:20.19.5-trixie-slim AS base
 
@@ -38,8 +36,6 @@ ARG INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
-ARG CDN_HOST
-ENV VITE_CDN_HOST $CDN_HOST
 
 ENV NODE_OPTIONS="--max-old-space-size=8192"
 
@@ -189,10 +185,7 @@ COPY --from=backend-runner /app /backend
 
 COPY --from=frontend-runner /app ./backend/frontend-build
 
-# Copy CDN HOST replacement script for runtime CDN HOST replacement
+RUN chmod +x /backend/scripts/export-assets.sh
-COPY frontend/scripts/replace-standalone-build-variable.sh /backend/scripts/replace-standalone-build-variable.sh
-RUN chmod +x /backend/scripts/export-assets.sh /backend/scripts/replace-standalone-build-variable.sh
-RUN chown -R non-root-user:nodejs /backend/frontend-build
 
 ARG INFISICAL_PLATFORM_VERSION
 ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION

Dockerfile.standalone-infisical

@@ -2,8 +2,6 @@ ARG POSTHOG_HOST=https://app.posthog.com
 ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key
-# CDN HOST placeholder - replaced at container startup with actual CDN_HOST env var
-ARG CDN_HOST=__INFISICAL_CDN_HOST__
 
 FROM node:20.19.5-trixie-slim AS base
 
@@ -40,8 +38,6 @@ ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ENV VITE_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 ARG CAPTCHA_SITE_KEY
 ENV VITE_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY
-ARG CDN_HOST
-ENV VITE_CDN_HOST $CDN_HOST
 ENV NODE_OPTIONS="--max-old-space-size=8192"
 
 # Build
@@ -178,10 +174,7 @@ ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 COPY --from=backend-runner /app /backend
 COPY --from=frontend-runner /app ./backend/frontend-build
 
-# Copy CDN HOST replacement script for runtime CDN HOST replacement
+RUN chmod +x /backend/scripts/export-assets.sh
-COPY frontend/scripts/replace-standalone-build-variable.sh /backend/scripts/replace-standalone-build-variable.sh
-RUN chmod +x /backend/scripts/export-assets.sh /backend/scripts/replace-standalone-build-variable.sh
-RUN chown -R non-root-user:nodejs /backend/frontend-build
 
 ARG INFISICAL_PLATFORM_VERSION
 ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION

backend/src/lib/config/env.ts

@@ -229,6 +229,7 @@ const envSchema = z
     CAPTCHA_SECRET: zpStr(z.string().optional()),
     CAPTCHA_SITE_KEY: zpStr(z.string().optional()),
     INTERCOM_ID: zpStr(z.string().optional()),
+    CDN_HOST: zpStr(z.string().optional()),
 
     // TELEMETRY
     OTEL_TELEMETRY_COLLECTION_ENABLED: zodStrBool.default("false"),

backend/src/server/plugins/serve-ui.ts

@@ -1,6 +1,8 @@
+import fs from "node:fs";
 import path from "node:path";
 
 import staticServe from "@fastify/static";
+import RE2 from "re2";
 
 import { getConfig, IS_PACKAGED } from "@app/lib/config/env";
 
@@ -15,6 +17,9 @@ export const registerServeUI = async (
     dir: string;
   }
 ) => {
+  const appCfg = getConfig();
+  const cdnHost = appCfg.CDN_HOST || "";
+
   // use this only for frontend runtime static non-sensitive configuration in standalone mode
   // that app needs before loading like posthog dsn key
   // for most of the other usecase use server config
@@ -25,15 +30,26 @@ export const registerServeUI = async (
       hide: true
     },
     handler: (_req, res) => {
-      const appCfg = getConfig();
       void res.type("application/javascript");
       const config = {
         CAPTCHA_SITE_KEY: appCfg.CAPTCHA_SITE_KEY,
         POSTHOG_API_KEY: appCfg.POSTHOG_PROJECT_API_KEY,
         INTERCOM_ID: appCfg.INTERCOM_ID,
-        TELEMETRY_CAPTURING_ENABLED: appCfg.TELEMETRY_ENABLED
+        TELEMETRY_CAPTURING_ENABLED: appCfg.TELEMETRY_ENABLED,
+        CDN_HOST: cdnHost
       };
-      const js = `window.__INFISICAL_RUNTIME_ENV__ = Object.freeze(${JSON.stringify(config)});`;
+      // Define window.__toCdnUrl for Vite's experimental.renderBuiltUrl runtime support
+      // This function is called by dynamically imported chunks to resolve CDN URLs
+      const js = `
+window.__INFISICAL_RUNTIME_ENV__ = Object.freeze(${JSON.stringify(config)});
+window.__toCdnUrl = function(filename) {
+  var cdnHost = window.__INFISICAL_RUNTIME_ENV__.CDN_HOST || "";
+  if (cdnHost && filename.startsWith("assets/")) {
+    return cdnHost + "/" + filename;
+  }
+  return "/" + filename;
+};
+`.trim();
       return res.send(js);
     }
   });
@@ -41,6 +57,23 @@ export const registerServeUI = async (
   if (standaloneMode) {
     const frontendName = IS_PACKAGED ? "frontend" : "frontend-build";
     const frontendPath = path.join(dir, frontendName);
+
+    const indexHtmlPath = path.join(frontendPath, "index.html");
+    let indexHtml = fs.readFileSync(indexHtmlPath, "utf-8");
+
+    if (cdnHost) {
+      // Replace relative asset paths with CDN URLs in script and link tags
+      indexHtml = indexHtml
+        .replace(/src="\/assets\//g, `src="${cdnHost}/assets/`)
+        .replace(/href="\/assets\//g, `href="${cdnHost}/assets/`);
+
+      const cspDirectives = ["script-src", "style-src", "font-src", "connect-src"];
+      for (const directive of cspDirectives) {
+        const regex = new RE2(`(${directive}\\s+'self')`, "g");
+        indexHtml = indexHtml.replace(regex, `$1 ${cdnHost}`);
+      }
+    }
+
     await server.register(staticServe, {
       root: frontendPath,
       wildcard: false,
@@ -60,12 +93,12 @@ export const registerServeUI = async (
           return;
         }
 
-        return reply.sendFile("index.html", {
+        return reply
-          immutable: false,
+          .type("text/html")
-          maxAge: 0,
+          .header("Cache-Control", "no-cache, no-store, must-revalidate")
-          lastModified: false,
+          .header("Pragma", "no-cache")
-          etag: false
+          .header("Expires", "0")
-        });
+          .send(indexHtml);
       }
     });
   }

frontend/scripts/replace-standalone-build-variable.sh

@@ -10,16 +10,7 @@ fi
 
 echo "Replacing pre-baked value.."
 
-# Escape special characters in REPLACEMENT for sed to avoid syntax errors
-ESCAPED_REPLACEMENT=$(printf '%s\n' "$REPLACEMENT" | sed 's/[\/&]/\\&/g')
-
-# Replace in JS files in assets directory
 find assets -type f -name "*.js" |
 while read file; do
-    sed -i "s|$ORIGINAL|$ESCAPED_REPLACEMENT|g" "$file"
+    sed -i "s|$ORIGINAL|$REPLACEMENT|g" "$file"
 done
-
-# Replace in index.html (for asset references)
-if [ -f "index.html" ]; then
-    sed -i "s|$ORIGINAL|$ESCAPED_REPLACEMENT|g" "index.html"
-fi

frontend/vite.config.ts

@@ -29,14 +29,7 @@ export default defineConfig(({ mode }) => {
     "0.0.1"
   ).replaceAll(".", "-");
 
-  // CDN HOST for static assets in /assets/* only.
-  // Docker: Set CDN_HOST env var at runtime (placeholder replaced at container startup).
-  // Direct build: Use --build-arg CDN_HOST=https://... or VITE_CDN_HOST env var.
-  // Default: Empty = same-origin asset loading.
-  const cdnHost = env.VITE_CDN_HOST || "";
-
   return {
-    base: "/",
     server: {
       allowedHosts,
       host: true,
@@ -60,12 +53,12 @@ export default defineConfig(({ mode }) => {
       }
     },
     experimental: {
-      // Only apply CDN HOST to files in /assets/* directory
+      renderBuiltUrl(filename, { hostType }) {
-      renderBuiltUrl(filename) {
+        if (hostType === "js") {
-        if (filename.startsWith("assets/") && cdnHost) {
+          return { runtime: `window.__toCdnUrl(${JSON.stringify(filename)})` };
-          return `${cdnHost}/${filename}`;
         }
-        return `/${filename}`;
+
+        return { relative: true };
       }
     },
     plugins: [

standalone-entrypoint.sh

@@ -2,14 +2,4 @@
 
 update-ca-certificates
 
-if [ -d "/backend/frontend-build/assets" ]; then
-    cd /backend/frontend-build || { echo "ERROR: Failed to cd to frontend-build"; exit 1; }
-    
-    if ! /backend/scripts/replace-standalone-build-variable.sh "__INFISICAL_CDN_HOST__" "${CDN_HOST:-}"; then
-        echo "WARNING: CDN HOST replacement failed, assets may not load correctly"
-    fi
-    
-    cd /backend || { echo "ERROR: Failed to cd to backend"; exit 1; }
-fi
-
 exec node --enable-source-maps dist/main.mjs