Skip to content

Harden admin security

jedmund requested to merge admin-security-hardening into main

Created by: jedmund

Summary

  • Add hooks.server.ts with security headers (CSP, HSTS, X-Frame-Options) and login rate limiting
  • Strip password hashes from public project API responses
  • Move project password verification to server-side to avoid exposing hashes to the client
  • Add CSRF token validation, fix debug auth exposure, secure login page
  • Fix rate limiter: unref interval timer, add proper headers on 429 responses
  • Fix post creation to return 201 status, sanitize upload error messages

Changes

  • New: src/hooks.server.ts with security headers and rate limiting middleware
  • Updated: Project API routes to strip sensitive fields from responses
  • Updated: Login flow to use server-side password verification
  • Updated: .env.example with ADMIN_SESSION_SECRET
  • Updated: Various API routes for proper status codes and error sanitization

Test plan

  • Verify login rate limiting triggers after repeated failed attempts
  • Verify security headers are present in responses
  • Verify project passwords are not exposed in API responses
  • Verify CSRF protection works on form submissions

Merge request reports

Loading