soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

finished security review for now

Browse Source
This commit is contained in:
Codex Agent
2025-12-09 20:36:35 +01:00
parent 928d28fcaf
commit 5c93bfa405
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/process/changes/2025-12-08-security-review-kickoff.md
View File

@@ -38,3 +38,13 @@
- Gallery/API assets moving to signed access: gallery listings and stats now use temporary signed routes for thumbnails/full URLs (token + photo id) instead of raw `Storage::url` where possible; queries filter to approved status. Fallbacks remain for legacy paths.
- CSP tightened: added style nonce, allowed https style sources for Stripe/Paddle, removed `style-src 'unsafe-inline'` in non-dev (dev keeps inline for Vite), and added `frame-ancestors 'self'`. Script nonce already in place.
- Branding assets signed: added signed branding asset route with path allowlist; branding logos use signed URLs; blog banners now emit signed URLs instead of raw `Storage::url`. Tenant photo resource now emits signed URLs for full/thumbnail variants.
- Paddle webhook throttled: added `throttle:paddle-webhook` (30/min per IP).
- Inline scripts/styles in guest/admin blades now carry nonces; inline styles consolidated into nonced blocks.
- Backfill thumbnails stores relative paths (no public URLs).
- Data export downloads remain auth-gated; added existence check and private/no-store headers on download.
**Remaining (low priority)**
- Signed URL TTL/scoping: can shorten TTLs (gallery/branding) and bind signatures to token/event for stricter replay protection; current defaults ~3060 mins are acceptable but could be reduced.
- Guest asset throttles: consider throttles on gallery asset/download/share routes for abuse mitigation; not critical if monitoring is in place.
- CORS prod allowlist: env-driven config exists; set `CORS_ALLOWED_ORIGINS` in prod/stage to match Traefik hosts when ready.
- Logging/PII: current logging avoids raw tokens/paths; keep this guard in future changes.

6
docs/process/todo/security-review-dec-2025.md
View File

@@ -109,6 +109,12 @@ Run a structured security review across marketing frontend + public API, Guest P
- [ ] CSRF on web forms and SPA flows; session cookie flags (Secure/HttpOnly/SameSite) over HTTPS.
- [ ] Rate limits alignment with documented policies; error messages avoid stack traces and sensitive data.
## Low-Priority Follow-ups
- Signed URL hardening: shorten TTLs (gallery/branding) and bind signatures to token/event identifiers to reduce replay risk.
- Guest asset throttles: add rate limiters for gallery asset/download/share routes keyed by token+IP; optional given existing monitoring.
- CORS prod allowlist: env config present; set `CORS_ALLOWED_ORIGINS` in prod/stage to match Traefik when ready.
- Logging hygiene: keep avoiding raw tokens/paths in logs; review when adding new logging.
## CSP Tightening Plan
- Add style nonces everywhere inline styles exist (root blade/templates) and remove `style-src 'unsafe-inline'` outside dev.
- Ensure script nonce is applied (already set via Vite); audit any inline event handlers.