security: address audit findings C-4 through M-8
Critical: - C-4: Add express-rate-limit to login (20 attempts/15min) - C-5: Remove default credentials from LoginForm.js - C-6: Add sandbox attribute to KB document iframe High: - H-2: Hard-fail on startup if SESSION_SECRET env var is missing - H-6: Sanitize filenames in Content-Disposition headers - H-7: Fix KB upload race condition — move file after DB insert succeeds - H-8: Generate random admin password in setup.js instead of hardcoded - H-9: Add rehype-sanitize to ReactMarkdown (requires npm install) Medium: - M-4: Fix loose equality (==) to strict (===) in users.js self-checks - M-5: Add hostname format regex validation in compliance notes - M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js - M-7: Sanitize original filename in compliance temp JSON - M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var New dependencies needed: - backend: express-rate-limit (npm install in root) - frontend: rehype-sanitize (npm install in frontend/)
This commit is contained in:
jramos
@@ -15,6 +15,7 @@
|
||||
"cors": "^2.8.6",
|
||||
"dotenv": "^16.6.1",
|
||||
"express": "^5.2.1",
|
||||
"express-rate-limit": "^7.5.0",
|
||||
"multer": "^2.0.2",
|
||||
"sqlite3": "^5.1.7"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user