cdd24a5def
- Added a new `api` service for the NestJS backend, including health checks and dependencies on PostgreSQL, Redis, and MinIO. - Introduced PostgreSQL and Redis services with health checks and configurations for data persistence. - Added MinIO for S3-compatible object storage and a one-shot service to initialize required buckets. - Updated the Nginx configuration to proxy requests to the new backend API and MinIO storage. - Enhanced the Dockerfile to support the new API environment variables and configurations. - Updated the `package.json` and `package-lock.json` to include new dependencies for QR code generation and other utilities. Co-authored-by: Cursor <cursoragent@cursor.com>
11 lines
797 B
Markdown
11 lines
797 B
Markdown
# Nostr Auth Security Checklist
|
|
|
|
- Replay window: enforce ±120s `created_at` tolerance; reject reused or stale events.
|
|
- HTTPS only: require TLS termination before the API; never accept plain HTTP in production.
|
|
- Canonical URL: sign/verify the exact scheme + host + path + query; strip fragments.
|
|
- Payload hashing: hash raw bytes; reject if the `payload` tag hash differs from the received body.
|
|
- Rate limiting: apply IP/pubkey-based throttling to mitigate brute force or flood attempts.
|
|
- Logging hygiene: avoid persisting raw payloads/signatures; redact PII and secrets from logs.
|
|
- Dependency pinning: lock `nostr-tools` and crypto dependencies; track CVEs and update promptly.
|
|
- Test coverage: maintain ≥90% coverage for the Nostr auth service/guard and add E2E cases for tamper/replay.
|