From 5c93bfa4050ab6b484d5ddd71c31fc246cdcdcd3 Mon Sep 17 00:00:00 2001 From: Codex Agent Date: Tue, 9 Dec 2025 20:36:35 +0100 Subject: [PATCH] finished security review for now --- .../changes/2025-12-08-security-review-kickoff.md | 10 ++++++++++ docs/process/todo/security-review-dec-2025.md | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/docs/process/changes/2025-12-08-security-review-kickoff.md b/docs/process/changes/2025-12-08-security-review-kickoff.md index 7001b49..e797039 100644 --- a/docs/process/changes/2025-12-08-security-review-kickoff.md +++ b/docs/process/changes/2025-12-08-security-review-kickoff.md @@ -38,3 +38,13 @@ - Gallery/API assets moving to signed access: gallery listings and stats now use temporary signed routes for thumbnails/full URLs (token + photo id) instead of raw `Storage::url` where possible; queries filter to approved status. Fallbacks remain for legacy paths. - CSP tightened: added style nonce, allowed https style sources for Stripe/Paddle, removed `style-src 'unsafe-inline'` in non-dev (dev keeps inline for Vite), and added `frame-ancestors 'self'`. Script nonce already in place. - Branding assets signed: added signed branding asset route with path allowlist; branding logos use signed URLs; blog banners now emit signed URLs instead of raw `Storage::url`. Tenant photo resource now emits signed URLs for full/thumbnail variants. +- Paddle webhook throttled: added `throttle:paddle-webhook` (30/min per IP). +- Inline scripts/styles in guest/admin blades now carry nonces; inline styles consolidated into nonce’d blocks. +- Backfill thumbnails stores relative paths (no public URLs). +- Data export downloads remain auth-gated; added existence check and private/no-store headers on download. + +**Remaining (low priority)** +- Signed URL TTL/scoping: can shorten TTLs (gallery/branding) and bind signatures to token/event for stricter replay protection; current defaults ~30–60 mins are acceptable but could be reduced. +- Guest asset throttles: consider throttles on gallery asset/download/share routes for abuse mitigation; not critical if monitoring is in place. +- CORS prod allowlist: env-driven config exists; set `CORS_ALLOWED_ORIGINS` in prod/stage to match Traefik hosts when ready. +- Logging/PII: current logging avoids raw tokens/paths; keep this guard in future changes. diff --git a/docs/process/todo/security-review-dec-2025.md b/docs/process/todo/security-review-dec-2025.md index a99c4db..0be440f 100644 --- a/docs/process/todo/security-review-dec-2025.md +++ b/docs/process/todo/security-review-dec-2025.md @@ -109,6 +109,12 @@ Run a structured security review across marketing frontend + public API, Guest P - [ ] CSRF on web forms and SPA flows; session cookie flags (Secure/HttpOnly/SameSite) over HTTPS. - [ ] Rate limits alignment with documented policies; error messages avoid stack traces and sensitive data. +## Low-Priority Follow-ups +- Signed URL hardening: shorten TTLs (gallery/branding) and bind signatures to token/event identifiers to reduce replay risk. +- Guest asset throttles: add rate limiters for gallery asset/download/share routes keyed by token+IP; optional given existing monitoring. +- CORS prod allowlist: env config present; set `CORS_ALLOWED_ORIGINS` in prod/stage to match Traefik when ready. +- Logging hygiene: keep avoiding raw tokens/paths in logs; review when adding new logging. + ## CSP Tightening Plan - Add style nonces everywhere inline styles exist (root blade/templates) and remove `style-src 'unsafe-inline'` outside dev. - Ensure script nonce is applied (already set via Vite); audit any inline event handlers.