Harden CSRF/CSP and add hash version upgrades

2026-02-18 20:51:18 +01:00
parent 3c7f3d2114
commit a130cba41a
23 changed files with 627 additions and 57 deletions
--- a/API.md
+++ b/API.md
@@ -53,6 +53,9 @@ POST /api/admin/factory-reset — `{ password }`; wipe players, suggestions, vot
 Owner restrictions: owner role/admin status cannot be changed, and owner account cannot be deleted.

 ## Security Defaults
+- Mutating authenticated API requests (`POST`/`PUT`/`DELETE`/`PATCH`) enforce same-origin CSRF checks via `Origin`/`Referer`; cross-origin or missing-origin authenticated writes are rejected with `400`.
 - Security headers are set on all responses (`CSP`, `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`).
+- CSP is tightened to disallow inline styles and insecure image origins (`img-src` excludes `http:`).
 - In production, HTTPS redirection and HSTS are enabled.
 - Screenshot URL validation rejects private/reserved address ranges and pins outbound connections to validated public IPs.
+- Password hashing is versioned; legacy hashes are transparently upgraded on successful login/admin password confirmation.