4.0 KiB
Security Audit Tasks
Audit date: 2026-02-08
Scope: Program.cs, Endpoints/*, Infrastructure/*, wwwroot/js/*, deployment docs/config
Critical
- None identified in this pass.
High
- Fix stored XSS in confirmation modal flows.
Evidence:
wwwroot/js/modals-ui.js:41,wwwroot/js/modals-ui.js:43,wwwroot/js/modals-ui.js:47,wwwroot/js/suggestions-ui.js:481,wwwroot/js/data.js:44,wwwroot/js/data.js:57,wwwroot/js/admin-ui.js:48. Risk: user-controlled names are injected into HTML and can execute script in other users' sessions (including admin interactions). Tasks:- Remove dynamic
innerHTMLfor confirm modal title/body and render untrusted text withtextContent. - Stop interpolating untrusted values into HTML attributes (for example
data-name); assign with DOM APIs. - Add regression coverage for XSS payloads in suggestion names and player names.
- Remove dynamic
Medium
-
Add request-throttling and brute-force protection for authentication/admin-sensitive routes. Evidence:
Endpoints/AuthEndpoints.cs:16,Endpoints/AuthEndpoints.cs:62,Program.cs:49,Program.cs:64(noAddRateLimiter/UseRateLimiterconfigured). Risk: password guessing and admin-key guessing are not rate-limited. Tasks:- Configure ASP.NET Core rate limiting policies for
/api/auth/*and privileged admin routes. - Add lockout/backoff telemetry and alerts for repeated failed auth attempts.
- Configure ASP.NET Core rate limiting policies for
-
Harden screenshot URL validation against SSRF bypass techniques. Evidence:
Endpoints/SuggestionValidator.cs:13,Endpoints/EndpointHelpers.cs:143,Endpoints/EndpointHelpers.cs:233,Endpoints/EndpointHelpers.cs:262. Risk: DNS rebinding and incomplete private/reserved IP filtering can allow internal network probing via server-side HTTP fetches. Tasks:- Expand blocked address ranges (IPv4 reserved ranges, IPv6 ULA
fc00::/7, etc.). - Ensure the request is pinned to validated IPs (or use a safe egress proxy/allowlist).
- Add tests for loopback/private/reserved host bypass attempts.
- Expand blocked address ranges (IPv4 reserved ranges, IPv6 ULA
-
Add baseline HTTP security headers and enforce HTTPS policy. Evidence:
Program.cs:68,Program.cs:77,Program.cs:90(no app-level CSP/HSTS/X-Content-Type-Options/X-Frame-Options/Referrer-Policymiddleware). Risk: weaker browser-side mitigation for XSS/clickjacking/content-type sniffing and transport downgrade mistakes. Tasks:- Add explicit security headers in app middleware or IIS config.
- Enable HSTS in production and verify HTTPS redirection/termination settings.
- Add deployment checklist validation in
IIS.md.
-
Restrict accepted host headers. Evidence:
appsettings.json:8. Risk: wildcardAllowedHostscan increase exposure to host-header abuse patterns. Tasks:- Replace
AllowedHosts: "*"with explicit production hostnames. - Add environment-specific config guidance for IIS deployments.
- Replace
Low
-
Strengthen credential policy and password hashing parameters. Evidence:
Endpoints/AuthValidator.cs:24,Infrastructure/PasswordHasher.cs:9. Risk: weak user-selected passwords remain possible; PBKDF2 cost may become insufficient over time. Tasks:- Enforce minimum password length/quality checks.
- Review and periodically raise PBKDF2 iteration cost (or migrate to a stronger password hashing scheme).
-
Reassess long-lived session defaults. Evidence:
Program.cs:56. Risk: 30-day sliding cookie increases exposure window for stolen session cookies. Tasks:- Reduce expiration window for privileged sessions or apply step-up auth for destructive admin actions.
- Consider explicit idle timeout + absolute lifetime policy.
-
Reevaluate permanent bootstrap-admin key behavior. Evidence:
Endpoints/AuthEndpoints.cs:26,Endpoints/AuthEndpoints.cs:30,Endpoints/AuthEndpoints.cs:34. Risk: a leakedADMIN_PASSWORDcan be reused indefinitely to create new admin accounts. Tasks:- Limit bootstrap-admin creation to first-run or an explicit admin-only operation.
- Add audit logs for admin account creation attempts and successes.