barrettruth/delta
1
0
Fork 0
Code Issues 14 Pull requests Releases 1 Packages Activity Actions

Security hardening before production use #25

New issue
Closed
opened 2026-03-22 23:51:11 +00:00 by barrettruth · 2 comments
barrettruth commented 2026-03-22 23:51:11 +00:00
Copy link

Problem

Delta is now deployed but needs security hardening before real use at delta.barrettruth.com.

Open Items

Critical:

  • Rate limiting on /api/auth/login — currently unlimited brute force attempts
  • CSRF protection on mutation endpoints (POST/PATCH/DELETE)
  • Input validation/sanitization on all API endpoints (description, notes could contain XSS if rendered unsanitized)

Important:

  • Session tokens should be cryptographically random (currently uses crypto.randomBytes(32) — good, but verify entropy)
  • API key rotation should invalidate all active sessions for that user
  • DATABASE_URL env var contains the SQLite path — ensure the file is only readable by the delta system user
  • ACME SSL certificate auto-renewal for delta.barrettruth.com
  • Strict-Transport-Security header via nginx
  • X-Content-Type-Options: nosniff header
  • X-Frame-Options: DENY header

Nice to have:

  • Account lockout after N failed login attempts
  • Session expiry cleanup (cron to delete expired sessions from DB)
  • Audit log for auth events (login, logout, API key use)
  • Content Security Policy header
  • Consider invite-only registration (#24)

Context

Self-hosted on Netcup VPS behind nginx + ACME. Single user initially but friends may want accounts. The app is internet-accessible.

## Problem Delta is now deployed but needs security hardening before real use at `delta.barrettruth.com`. ## Open Items **Critical:** - [ ] Rate limiting on `/api/auth/login` — currently unlimited brute force attempts - [ ] CSRF protection on mutation endpoints (POST/PATCH/DELETE) - [ ] Input validation/sanitization on all API endpoints (description, notes could contain XSS if rendered unsanitized) **Important:** - [ ] Session tokens should be cryptographically random (currently uses `crypto.randomBytes(32)` — good, but verify entropy) - [ ] API key rotation should invalidate all active sessions for that user - [ ] `DATABASE_URL` env var contains the SQLite path — ensure the file is only readable by the `delta` system user - [ ] ACME SSL certificate auto-renewal for `delta.barrettruth.com` - [ ] `Strict-Transport-Security` header via nginx - [ ] `X-Content-Type-Options: nosniff` header - [ ] `X-Frame-Options: DENY` header **Nice to have:** - [ ] Account lockout after N failed login attempts - [ ] Session expiry cleanup (cron to delete expired sessions from DB) - [ ] Audit log for auth events (login, logout, API key use) - [ ] Content Security Policy header - [ ] Consider invite-only registration (#24) ## Context Self-hosted on Netcup VPS behind nginx + ACME. Single user initially but friends may want accounts. The app is internet-accessible.
barrettruth commented 2026-03-23 00:28:09 +00:00
Copy link

Rate limiting, security headers, input validation, XSS sanitization all implemented.

Rate limiting, security headers, input validation, XSS sanitization all implemented.
barrettruth commented 2026-03-23 01:47:48 +00:00
Copy link
Image
<img width="1920" height="1200" alt="Image" src="https://github.com/user-attachments/assets/df4bc3ed-679a-4a14-809d-a9b92327bdf4" />
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/task-panel-save-atomicity
settings-modal
feat/add-task-external-links
feat/reminder-transport-settings
feat/reminder-foundation
build/oidc-release-pipeline
fix/settings-cleanup
fix/remove-oauth-config-ui
nightly-20260426
cli-v0.0.2
Labels
Clear labels   
bug
Something isn't working

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
track:api
API layer track

  
track:auto
Automation track

  
track:core
Core engine track

  
track:deploy
Deployment track

  
track:infra
Infrastructure track

  
track:ui
Web UI track

  
v0.1.0
First release milestone

  
v0.1.1
post-initial release

  
wontfix
This will not be worked on

No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
track:api
track:auto
track:core
track:deploy
track:infra
track:ui
v0.1.0
v0.1.1
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
barrettruth/delta#25
No description provided.