Skip to content

Launch hardening: security, auth redirect, clear history, PWA, README#15

Merged
StrandedTurtle merged 3 commits into
mainfrom
claude/youthful-pasteur-2f6s72
Jun 30, 2026
Merged

Launch hardening: security, auth redirect, clear history, PWA, README#15
StrandedTurtle merged 3 commits into
mainfrom
claude/youthful-pasteur-2f6s72

Conversation

@StrandedTurtle

Copy link
Copy Markdown
Owner

Pre-launch hardening pass before the homelab post.

Security

  • Security headers on every response (CSP, X-Frame-Options, nosniff, Referrer-Policy, COOP, HSTS over https) via a testable security.js.
  • Webhook SSRF guard (urlguard.js): require https to a public host; reject loopback/private/link-local/metadata literals and hostnames that resolve inward. Applied at storage, the /api/notify/test input, and send time.
  • TRUST_PROXY so login rate-limiting sees the real client IP behind a reverse proxy (default off keeps X-Forwarded-For un-spoofable).
  • Stop leaking raw err.message to clients; log server-side, return stable error codes.
  • SECURITY.md threat model + operator guidance.

Bugs / features

  • Redirect to the login gate on any 401 from an authenticated request (expired session no longer strands the user).
  • Clear history: History-header button behind a reusable ConfirmDialog (+ DELETE /api/history).
  • Settings: stack rows vertically on phones and fix the rigid time input so the Background-checks section isn't cramped.
  • Full PWA manifest (start_url, scope, description, maskable icons).
  • Dark/light contrast parity + minor mobile polish.

Docs

  • README rewritten short & example-first; dev notes moved to CONTRIBUTING.md.

Verification

  • Server tests 94/94 pass (added urlguard, security-headers, clear-history tests).
  • Client build clean (emits sw.js + manifest.webmanifest).
  • Live smoke test: headers present, auth gate 401, login→clear-history works, SSRF rejection on the metadata endpoint.

🤖 Generated with Claude Code


Generated by Claude Code

strandedturtle and others added 3 commits June 30, 2026 12:37
Security pass ahead of a public release:
- Security headers on every response (CSP, X-Frame-Options, nosniff,
  Referrer-Policy, COOP, HSTS over https) via a testable security.js module.
- SSRF guard for the Discord webhook URL (urlguard.js): require https to a
  public host, reject loopback/private/link-local/metadata literals, and
  DNS-resolve before sending so a public hostname can't point inward. Applied
  at storage (settings.js), the /api/notify/test input, and send time.
- TRUST_PROXY config so login rate-limiting sees the real client IP behind a
  reverse proxy; default off keeps X-Forwarded-For un-spoofable.
- Stop leaking raw err.message (docker/registry/webhook detail) to clients;
  log server-side, return stable error codes only.
- Add DELETE /api/history (db.clearHistory) + SECURITY.md threat model.
- Tests for urlguard, security headers, and clearHistory.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Lj6nYJQDtLaZFvvEQJGM4
…lish

- Redirect to the login gate on any 401 from an authenticated request
  (api.js global handler; App lands on the dashboard after sign-in) so an
  expired session no longer strands the user on a broken page.
- Clear history: button in the History header behind a reusable ConfirmDialog.
- Settings: stack rows vertically on phones (<=540px) and fix the rigid time
  input so the Background-checks section isn't cramped; add row dividers.
- PWA: finish the manifest (start_url, scope, description, maskable icons).
- Dark/light parity: darken light-theme faint text for legibility; enlarge
  bottom-nav labels; let card actions wrap on narrow screens.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Lj6nYJQDtLaZFvvEQJGM4
…UTING

Lead with a copy-paste compose example (prebuilt image) and minimal .env,
collapse the same-path-mount warning to a single callout, add TRUST_PROXY to
the config table, and link SECURITY.md. Development/test/build instructions
moved to CONTRIBUTING.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013Lj6nYJQDtLaZFvvEQJGM4
@StrandedTurtle StrandedTurtle merged commit 25891c1 into main Jun 30, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant