Enhance security architecture and guidelines across documentation and middleware; implement input validation, logging improvements, and security headers in API handlers.
This commit is contained in:
Leon Bösche
@@ -25,6 +25,34 @@ This guide covers local development setup, coding conventions, and contribution
|
||||
- **TablePlus** or **DBeaver** for database management
|
||||
- **Postman** or **Bruno** for API testing
|
||||
|
||||
## Security Guidelines
|
||||
|
||||
### Code Security
|
||||
|
||||
- **Never log secrets**: Passwords, tokens, keys must never appear in logs
|
||||
- **Validate all inputs**: Use `sanitizePath()` for file paths, validate UUIDs
|
||||
- **Use structured errors**: Return safe error messages that don't leak internal details
|
||||
- **HTTPS only**: All API calls must use HTTPS in production
|
||||
- **Input sanitization**: All user inputs must be validated and sanitized
|
||||
|
||||
### Authentication
|
||||
|
||||
- **JWT tokens**: Use secure, short-lived tokens
|
||||
- **Session validation**: Always validate sessions against database
|
||||
- **Passkey security**: Follow WebAuthn best practices
|
||||
|
||||
### File Operations
|
||||
|
||||
- **Path validation**: Prevent directory traversal with proper path sanitization
|
||||
- **Permission checks**: Verify user permissions before file operations
|
||||
- **Scoped access**: Users can only access authorized files/orgs
|
||||
|
||||
### Development Security
|
||||
|
||||
- **Local secrets**: Use `.env` files, never commit secrets
|
||||
- **Test with security**: Include security tests in development
|
||||
- **Review code**: Security review for all changes
|
||||
|
||||
## Project Setup
|
||||
|
||||
### 1. Clone the Repository
|
||||
|
||||
Reference in New Issue
Block a user