Launch hardening: security, auth redirect, clear history, PWA, README#15
Merged
Conversation
Security pass ahead of a public release: - Security headers on every response (CSP, X-Frame-Options, nosniff, Referrer-Policy, COOP, HSTS over https) via a testable security.js module. - SSRF guard for the Discord webhook URL (urlguard.js): require https to a public host, reject loopback/private/link-local/metadata literals, and DNS-resolve before sending so a public hostname can't point inward. Applied at storage (settings.js), the /api/notify/test input, and send time. - TRUST_PROXY config so login rate-limiting sees the real client IP behind a reverse proxy; default off keeps X-Forwarded-For un-spoofable. - Stop leaking raw err.message (docker/registry/webhook detail) to clients; log server-side, return stable error codes only. - Add DELETE /api/history (db.clearHistory) + SECURITY.md threat model. - Tests for urlguard, security headers, and clearHistory. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013Lj6nYJQDtLaZFvvEQJGM4
…lish - Redirect to the login gate on any 401 from an authenticated request (api.js global handler; App lands on the dashboard after sign-in) so an expired session no longer strands the user on a broken page. - Clear history: button in the History header behind a reusable ConfirmDialog. - Settings: stack rows vertically on phones (<=540px) and fix the rigid time input so the Background-checks section isn't cramped; add row dividers. - PWA: finish the manifest (start_url, scope, description, maskable icons). - Dark/light parity: darken light-theme faint text for legibility; enlarge bottom-nav labels; let card actions wrap on narrow screens. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013Lj6nYJQDtLaZFvvEQJGM4
…UTING Lead with a copy-paste compose example (prebuilt image) and minimal .env, collapse the same-path-mount warning to a single callout, add TRUST_PROXY to the config table, and link SECURITY.md. Development/test/build instructions moved to CONTRIBUTING.md. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013Lj6nYJQDtLaZFvvEQJGM4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pre-launch hardening pass before the homelab post.
Security
security.js.urlguard.js): require https to a public host; reject loopback/private/link-local/metadata literals and hostnames that resolve inward. Applied at storage, the/api/notify/testinput, and send time.TRUST_PROXYso login rate-limiting sees the real client IP behind a reverse proxy (default off keeps X-Forwarded-For un-spoofable).err.messageto clients; log server-side, return stable error codes.SECURITY.mdthreat model + operator guidance.Bugs / features
ConfirmDialog(+DELETE /api/history).Docs
CONTRIBUTING.md.Verification
sw.js+manifest.webmanifest).🤖 Generated with Claude Code
Generated by Claude Code