Harden CSRF/CSP and add hash version upgrades

2026-02-18 20:51:18 +01:00
parent 3c7f3d2114
commit a130cba41a
23 changed files with 627 additions and 57 deletions
--- a/README.md
+++ b/README.md
@@ -33,6 +33,14 @@ Pick'n'Play is a .NET 10 ASP.NET Core Minimal API app with a static HTML/CSS/JS
 - Storage: SQLite database under `App_Data/gamelist.db`.
 - Migrations are deployment-time operations (`dotnet ef database update`); app startup does not auto-migrate.
 - Security defaults: rate-limited auth/admin routes, baseline browser security headers, production HTTPS+HSTS enforcement.
+- CSRF baseline: authenticated mutating API requests require same-origin `Origin`/`Referer` headers.
+- Password hashes are versioned and upgraded on successful login/admin-password verification; current rollout upgrades legacy PBKDF2 parameters and prepares further migration hardening.
+
+## Password Hash Migration Plan
+
+1. Existing hashes remain valid under versioned verification (`LegacyVersion=1`).
+2. Successful authentication transparently rehashes credentials to `CurrentVersion=2` and persists the upgraded hash metadata.
+3. Future migration can introduce Argon2id as a new version without breaking existing users, then retire legacy versions after full rollout.

 ## Module Ownership