soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

finished security review for now

Browse Source
This commit is contained in:
Codex Agent
2025-12-09 20:36:35 +01:00
parent 928d28fcaf
commit 5c93bfa405
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/process/todo/security-review-dec-2025.md
View File

@@ -109,6 +109,12 @@ Run a structured security review across marketing frontend + public API, Guest P
- [ ] CSRF on web forms and SPA flows; session cookie flags (Secure/HttpOnly/SameSite) over HTTPS.
- [ ] Rate limits alignment with documented policies; error messages avoid stack traces and sensitive data.
## Low-Priority Follow-ups
- Signed URL hardening: shorten TTLs (gallery/branding) and bind signatures to token/event identifiers to reduce replay risk.
- Guest asset throttles: add rate limiters for gallery asset/download/share routes keyed by token+IP; optional given existing monitoring.
- CORS prod allowlist: env config present; set `CORS_ALLOWED_ORIGINS` in prod/stage to match Traefik when ready.
- Logging hygiene: keep avoiding raw tokens/paths in logs; review when adding new logging.
## CSP Tightening Plan
- Add style nonces everywhere inline styles exist (root blade/templates) and remove `style-src 'unsafe-inline'` outside dev.
- Ensure script nonce is applied (already set via Vite); audit any inline event handlers.