Harden admin security
Created by: jedmund
Summary
- Add
hooks.server.tswith security headers (CSP, HSTS, X-Frame-Options) and login rate limiting - Strip password hashes from public project API responses
- Move project password verification to server-side to avoid exposing hashes to the client
- Add CSRF token validation, fix debug auth exposure, secure login page
- Fix rate limiter: unref interval timer, add proper headers on 429 responses
- Fix post creation to return 201 status, sanitize upload error messages
Changes
-
New:
src/hooks.server.tswith security headers and rate limiting middleware - Updated: Project API routes to strip sensitive fields from responses
- Updated: Login flow to use server-side password verification
-
Updated:
.env.examplewithADMIN_SESSION_SECRET - Updated: Various API routes for proper status codes and error sanitization
Test plan
-
Verify login rate limiting triggers after repeated failed attempts -
Verify security headers are present in responses -
Verify project passwords are not exposed in API responses -
Verify CSRF protection works on form submissions