Harden CSRF/CSP and add hash version upgrades

2026-02-18 20:51:18 +01:00
parent 3c7f3d2114
commit a130cba41a
23 changed files with 627 additions and 57 deletions
--- a/SPEC.md
+++ b/SPEC.md
@@ -41,3 +41,4 @@ Help a small Discord group (4–8 players) pick a co-op game via phased flow:
 ## Non-functional
 - Desktop + mobile friendly
 - Runs on IIS; SQLite via EF Core
+- Browser security baseline: strict CSP (no inline styles, no insecure image origins) and same-origin protection for authenticated mutating API requests