soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
9afcaa78362783fffa11968b1193a07f173216ff
fotospiel-app/docs/archive/prp/09-security-compliance.md
Codex Agent 9afcaa7836 further rework to the documentation
2025-11-20 12:31:21 +01:00

2.3 KiB
Raw Blame History

09 — Security & Compliance

  • Roles: super_admin, tenant_admin, member; guest upload via signed tokens.
  • Policies: all tenant-owned models gated; Super Admin bypass via explicit ability.
  • Audit: record impersonation and destructive actions with actor, target, reason.
  • Logging: structured, no PII; add request/trace IDs; redact secrets.
  • GDPR: retention settings per tenant; deletion workflows; legal pages managed via CMS-like resource.
  • Rate limits: per-tenant, per-user, per-device; protect upload and admin mutations.

2025 Hardening Priorities

  • Identity & Token ManagementOwner: Backend Platform
    Track Sanctum PAT issuance and revocation. Provide tooling to list/revoke active PATs per tenant admin and document forced re-login procedures for compromised devices.
  • Guest Join TokensOwner: Guest Platform
    Hash stored join tokens, add anomaly metrics (usage spikes, stale tokens), and tighten gallery/photo rate limits with visibility in storage dashboards. Join-token access is now logged to event_join_token_events with summaries surfaced in the Event admin modal.
  • Public API ResilienceOwner: Core API
    Ensure gallery/download endpoints serve signed URLs, expand abuse throttles (token + IP), and document incident response runbooks in ops guides. See docs/ops/deployment/public-api-incident-playbook.md for the response checklist.
  • Media Pipeline & StorageOwner: Media Services
    Introduce antivirus + EXIF scrubbing workers, stream uploads to disk to avoid buffering, and enforce checksum verification during hot→archive transfers with configurable alerts from StorageHealthService.
    • Queue media-security (job: ProcessPhotoSecurityScan) performs antivirus + EXIF sanitisation per upload; configure via config/security.php.
  • Payments & WebhooksOwner: Billing
    Align legacy Stripe hooks with checkout sessions, add idempotency locks/signature expiry checks, and plug failed capture notifications into the credit ledger audit trail.
  • Frontend & CSPOwner: Marketing Frontend
    Replace unsafe-inline allowances (Stripe/Matomo) with nonce or hashed CSP rules, gate analytics injection behind consent, and localise cookie-banner copy that discloses data sharing.

Progress updates belong in docs/process/changes/ and roadmap status in docs/process/roadmap.md.

Reference in New Issue View Git Blame Copy Permalink