finished security review for now
This commit is contained in:
Codex Agent
@@ -38,3 +38,13 @@
|
||||
- Gallery/API assets moving to signed access: gallery listings and stats now use temporary signed routes for thumbnails/full URLs (token + photo id) instead of raw `Storage::url` where possible; queries filter to approved status. Fallbacks remain for legacy paths.
|
||||
- CSP tightened: added style nonce, allowed https style sources for Stripe/Paddle, removed `style-src 'unsafe-inline'` in non-dev (dev keeps inline for Vite), and added `frame-ancestors 'self'`. Script nonce already in place.
|
||||
- Branding assets signed: added signed branding asset route with path allowlist; branding logos use signed URLs; blog banners now emit signed URLs instead of raw `Storage::url`. Tenant photo resource now emits signed URLs for full/thumbnail variants.
|
||||
- Paddle webhook throttled: added `throttle:paddle-webhook` (30/min per IP).
|
||||
- Inline scripts/styles in guest/admin blades now carry nonces; inline styles consolidated into nonce’d blocks.
|
||||
- Backfill thumbnails stores relative paths (no public URLs).
|
||||
- Data export downloads remain auth-gated; added existence check and private/no-store headers on download.
|
||||
|
||||
**Remaining (low priority)**
|
||||
- Signed URL TTL/scoping: can shorten TTLs (gallery/branding) and bind signatures to token/event for stricter replay protection; current defaults ~30–60 mins are acceptable but could be reduced.
|
||||
- Guest asset throttles: consider throttles on gallery asset/download/share routes for abuse mitigation; not critical if monitoring is in place.
|
||||
- CORS prod allowlist: env-driven config exists; set `CORS_ALLOWED_ORIGINS` in prod/stage to match Traefik hosts when ready.
|
||||
- Logging/PII: current logging avoids raw tokens/paths; keep this guard in future changes.
|
||||
|
||||
Reference in New Issue
Block a user