Harden app security controls from audit
This commit is contained in:
@@ -14,7 +14,7 @@ Your display name is required ‒ it appears next to all of your suggestions and
|
||||
### Do I need admin privileges?
|
||||
|
||||
If you've been given an **admin key**, enter it during registration. If the key is invalid, the request is rejected.
|
||||
Admin access cannot be added later. To become an admin, you must re-register with the correct key.
|
||||
Admin-key bootstrap is only available until the first admin account exists. Admin access cannot be added later. To become an admin afterward, an existing admin must create/manage access outside the public registration flow.
|
||||
|
||||
## Phases at a Glance
|
||||
|
||||
@@ -54,7 +54,7 @@ If you include a screenshot URL, it must:
|
||||
- Be directly accessible (no redirects)
|
||||
- Load within ~3 seconds
|
||||
- Be under **5 MB**
|
||||
- Not point to local or private hosts
|
||||
- Not point to local, private, or reserved hosts
|
||||
|
||||
Screenshots are optional.
|
||||
|
||||
@@ -193,9 +193,14 @@ Until then, the Suggest navigation shows a hint instead of a Next button, and sw
|
||||
|
||||
Register again using the correct key from the host ‒ or leave it blank to create a regular account.
|
||||
|
||||
### "Too many requests. Please try again shortly."
|
||||
|
||||
Auth and admin-sensitive routes are rate-limited to reduce brute-force attempts.
|
||||
Wait briefly, then retry.
|
||||
|
||||
## Data & Privacy
|
||||
|
||||
- Suggestions, votes, and phase states are stored in a shared **SQLite database**.
|
||||
- Passwords are stored with a SHA256 encryption.
|
||||
- Passwords are stored as salted PBKDF2-SHA256 hashes (not plaintext).
|
||||
- Logging out clears your authentication cookie and resets login/register form inputs.
|
||||
- If an admin deletes your player account, your suggestions and votes are removed as well.
|
||||
|
||||
Reference in New Issue
Block a user