xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden app security controls from audit

Browse Source
This commit is contained in:
Frank Tovar
2026-02-08 18:40:13 +01:00
parent a6364b0802
commit 42e60d2a5a
20 changed files with 689 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
TASKS.md
View File

@@ -9,7 +9,7 @@ Scope: `Program.cs`, `Endpoints/*`, `Infrastructure/*`, `wwwroot/js/*`, deployme
## High
- [ ] Fix stored XSS in confirmation modal flows.
- [x] Fix stored XSS in confirmation modal flows.
Evidence: `wwwroot/js/modals-ui.js:41`, `wwwroot/js/modals-ui.js:43`, `wwwroot/js/modals-ui.js:47`, `wwwroot/js/suggestions-ui.js:481`, `wwwroot/js/data.js:44`, `wwwroot/js/data.js:57`, `wwwroot/js/admin-ui.js:48`.
Risk: user-controlled names are injected into HTML and can execute script in other users' sessions (including admin interactions).
Tasks:
@@ -19,14 +19,14 @@ Scope: `Program.cs`, `Endpoints/*`, `Infrastructure/*`, `wwwroot/js/*`, deployme
## Medium
- [ ] Add request-throttling and brute-force protection for authentication/admin-sensitive routes.
- [x] Add request-throttling and brute-force protection for authentication/admin-sensitive routes.
Evidence: `Endpoints/AuthEndpoints.cs:16`, `Endpoints/AuthEndpoints.cs:62`, `Program.cs:49`, `Program.cs:64` (no `AddRateLimiter` / `UseRateLimiter` configured).
Risk: password guessing and admin-key guessing are not rate-limited.
Tasks:
1. Configure ASP.NET Core rate limiting policies for `/api/auth/*` and privileged admin routes.
2. Add lockout/backoff telemetry and alerts for repeated failed auth attempts.
- [ ] Harden screenshot URL validation against SSRF bypass techniques.
- [x] Harden screenshot URL validation against SSRF bypass techniques.
Evidence: `Endpoints/SuggestionValidator.cs:13`, `Endpoints/EndpointHelpers.cs:143`, `Endpoints/EndpointHelpers.cs:233`, `Endpoints/EndpointHelpers.cs:262`.
Risk: DNS rebinding and incomplete private/reserved IP filtering can allow internal network probing via server-side HTTP fetches.
Tasks:
@@ -34,7 +34,7 @@ Scope: `Program.cs`, `Endpoints/*`, `Infrastructure/*`, `wwwroot/js/*`, deployme
2. Ensure the request is pinned to validated IPs (or use a safe egress proxy/allowlist).
3. Add tests for loopback/private/reserved host bypass attempts.
- [ ] Add baseline HTTP security headers and enforce HTTPS policy.
- [x] Add baseline HTTP security headers and enforce HTTPS policy.
Evidence: `Program.cs:68`, `Program.cs:77`, `Program.cs:90` (no app-level CSP/HSTS/`X-Content-Type-Options`/`X-Frame-Options`/`Referrer-Policy` middleware).
Risk: weaker browser-side mitigation for XSS/clickjacking/content-type sniffing and transport downgrade mistakes.
Tasks:
@@ -42,7 +42,7 @@ Scope: `Program.cs`, `Endpoints/*`, `Infrastructure/*`, `wwwroot/js/*`, deployme
2. Enable HSTS in production and verify HTTPS redirection/termination settings.
3. Add deployment checklist validation in `IIS.md`.
- [ ] Restrict accepted host headers.
- [x] Restrict accepted host headers.
Evidence: `appsettings.json:8`.
Risk: wildcard `AllowedHosts` can increase exposure to host-header abuse patterns.
Tasks:
@@ -51,21 +51,21 @@ Scope: `Program.cs`, `Endpoints/*`, `Infrastructure/*`, `wwwroot/js/*`, deployme
## Low
- [ ] Strengthen credential policy and password hashing parameters.
- [x] Strengthen credential policy and password hashing parameters.
Evidence: `Endpoints/AuthValidator.cs:24`, `Infrastructure/PasswordHasher.cs:9`.
Risk: weak user-selected passwords remain possible; PBKDF2 cost may become insufficient over time.
Tasks:
1. Enforce minimum password length/quality checks.
2. Review and periodically raise PBKDF2 iteration cost (or migrate to a stronger password hashing scheme).
- [ ] Reassess long-lived session defaults.
- [x] Reassess long-lived session defaults.
Evidence: `Program.cs:56`.
Risk: 30-day sliding cookie increases exposure window for stolen session cookies.
Tasks:
1. Reduce expiration window for privileged sessions or apply step-up auth for destructive admin actions.
2. Consider explicit idle timeout + absolute lifetime policy.
- [ ] Reevaluate permanent bootstrap-admin key behavior.
- [x] Reevaluate permanent bootstrap-admin key behavior.
Evidence: `Endpoints/AuthEndpoints.cs:26`, `Endpoints/AuthEndpoints.cs:30`, `Endpoints/AuthEndpoints.cs:34`.
Risk: a leaked `ADMIN_PASSWORD` can be reused indefinitely to create new admin accounts.
Tasks: