Add configuration options for secure server bundle management

justin808 · claude · justin808 · commit 82494d6a0178 · 2025-09-21T14:28:49.000-10:00
Introduces two new configuration options to enhance server bundle path resolution and security: - server_bundle_output_path: Configurable directory for server bundle output (defaults to "ssr-generated") - enforce_secure_server_bundles: Optional security enforcement for server bundle loading (defaults to false for backward compatibility) These options work in conjunction with the existing bundle path resolution improvements to provide better organization and security for server-side rendering assets. Features: - Secure server bundle location configuration - Backward compatibility maintained with sensible defaults - Comprehensive documentation added to configuration guide - Full parameter support in Configuration class initialization 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/docs/guides/configuration.md b/docs/guides/configuration.md
@@ -129,6 +129,16 @@ ReactOnRails.configure do |config|
   # This manifest file is automatically generated by the React Server Components Webpack plugin. Only set this if you've configured the plugin to use a different filename.
   config.react_server_client_manifest_file = "react-server-client-manifest.json"
 
+  # Directory where server bundles will be output during build process.
+  # This allows organizing server-side rendering assets separately from client assets.
+  # Default is "ssr-generated"
+  config.server_bundle_output_path = "ssr-generated"
+
+  # When enabled, enforces that server bundles are only loaded from secure, designated locations
+  # to prevent potential security risks from loading untrusted server-side code.
+  # Default is false for backward compatibility.
+  config.enforce_secure_server_bundles = false
+
   # `prerender` means server-side rendering
   # default is false. This is an option for view helpers `render_component` and `render_component_hash`.
   # Set to true to change the default value to true.
diff --git a/lib/react_on_rails/configuration.rb b/lib/react_on_rails/configuration.rb
@@ -52,7 +52,9 @@ def self.configuration
       # If exceeded, an error will be thrown for server-side rendered components not registered on the client.
       # Set to 0 to disable the timeout and wait indefinitely for component registration.
       component_registry_timeout: DEFAULT_COMPONENT_REGISTRY_TIMEOUT,
-      generated_component_packs_loading_strategy: nil
+      generated_component_packs_loading_strategy: nil,
+      server_bundle_output_path: "ssr-generated",
+      enforce_secure_server_bundles: false
     )
   end
 
@@ -68,7 +70,8 @@ class Configuration
                   :same_bundle_for_client_and_server, :rendering_props_extension,
                   :make_generated_server_bundle_the_entrypoint,
                   :generated_component_packs_loading_strategy, :immediate_hydration, :rsc_bundle_js_file,
-                  :react_client_manifest_file, :react_server_client_manifest_file, :component_registry_timeout
+                  :react_client_manifest_file, :react_server_client_manifest_file, :component_registry_timeout,
+                  :server_bundle_output_path, :enforce_secure_server_bundles
 
     # rubocop:disable Metrics/AbcSize
     def initialize(node_modules_location: nil, server_bundle_js_file: nil, prerender: nil,
@@ -85,7 +88,7 @@ def initialize(node_modules_location: nil, server_bundle_js_file: nil, prerender
                    random_dom_id: nil, server_render_method: nil, rendering_props_extension: nil,
                    components_subdirectory: nil, auto_load_bundle: nil, immediate_hydration: nil,
                    rsc_bundle_js_file: nil, react_client_manifest_file: nil, react_server_client_manifest_file: nil,
-                   component_registry_timeout: nil)
+                   component_registry_timeout: nil, server_bundle_output_path: nil, enforce_secure_server_bundles: nil)
       self.node_modules_location = node_modules_location.present? ? node_modules_location : Rails.root
       self.generated_assets_dirs = generated_assets_dirs
       self.generated_assets_dir = generated_assets_dir
@@ -130,6 +133,8 @@ def initialize(node_modules_location: nil, server_bundle_js_file: nil, prerender
       self.defer_generated_component_packs = defer_generated_component_packs
       self.immediate_hydration = immediate_hydration
       self.generated_component_packs_loading_strategy = generated_component_packs_loading_strategy
+      self.server_bundle_output_path = server_bundle_output_path
+      self.enforce_secure_server_bundles = enforce_secure_server_bundles
     end
     # rubocop:enable Metrics/AbcSize
 
