Skip to content

Draft: Security hardening + regression suite (waring) #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
davewaring wants to merge 13 commits into
base: main
Choose a base branch
from
Draft

Draft: Security hardening + regression suite (waring) #215

davewaring wants to merge 13 commits into from

Conversation

@davewaring
Copy link
Contributor

@davewaring davewaring commented Jan 14, 2026

Summary

This PR completes the security hardening work from the audit plan and verifies fixes with automated tests and pen-test retests.

Key changes:

  • Production safety guards for SECRET_KEY, ENCRYPTION_MASTER_KEY, service tokens, and allowed hosts
  • Trusted proxy handling for rate limiting (no XFF spoofing from untrusted clients)
  • TrustedHostMiddleware restricted outside dev
  • Sanitized token/cookie logging; debug-gated token previews
  • Plugin static asset path traversal fixed; public assets gated outside dev
  • Request ID middleware and redacted request logs
  • Settings instance ownership enforcement (IDOR fix)
  • Internal service auth hardened to return 401 instead of 500
  • Navigation routes SQL parameterized
  • Dev-only cookie endpoints gated

Testing

  • pytest -m security (latest run after fixes)
  • Pen-test matrix rerun: all pass; XFF behavior is config-dependent

Notes

  • Production requires SECRET_KEY, ENCRYPTION_MASTER_KEY, service tokens, and non-* FORWARDED_ALLOW_IPS
  • If cross-site cookies are required, set COOKIE_SAMESITE=none with COOKIE_SECURE=true
  • XFF behavior depends on FORWARDED_ALLOW_IPS (proxy allowlist vs direct access)

@davewaring
docs: add security testing plan
ff626f7 
Document scope, phases, test matrix, and CI/security gating guidance.
@davewaring
security: add regression suite and fixes
2fce883 
Add security regression tests, wire CI job, fix service auth logging, enforce setting ownership, and ensure request-size middleware is active.
@davewaring
waring: harden prod config and proxy trust
46cebf3
@davewaring
waring: sanitize auth token logging
5a62c54
@davewaring
waring: harden plugin static asset serving
4535be5
@davewaring
waring: add request id and redact request logs
968ebff
@davewaring
waring: fix request logging indentation
983e1c0
@davewaring
waring: gate dev-only cookie endpoints
b1eb165
@davewaring
waring: debug-gate token preview logging
4c7f8c0
@davewaring
waring: parameterize navigation route SQL
34f43f8
@davewaring
waring: enforce settings instance ownership
839e636
@davewaring
waring: harden internal auth error handling
309c769
@davewaring
waring: add final security report
eb06517
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davewaring