fix: implement 22 security pentest remediation fixes

Server-side session management with SHA-256 hashed tokens and HttpOnly
cookies. Auth middleware gating all RPC/WS/proxy routes with method
allowlist. Login rate limiting (5/60s per IP). CORS restricted to
config origin. Docker registry allowlist. App ID and path validation.
P2P message sanitization (HTML + log injection). Onion address and
known-peer validation. Nginx security headers (CSP, X-Frame-Options,
etc.) and AIUI proxy auth. Systemd hardening (non-root, NoNewPrivileges,
ProtectSystem).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-06 03:26:56 +00:00
parent 6623dbc4ab
commit 6656d2f1d9
12 changed files with 503 additions and 77 deletions

View File

@@ -18,6 +18,7 @@ mod node_message;
mod nostr_discovery;
mod peers;
mod server;
mod session;
mod state;
use auth::AuthManager;