Marbes/Luncher
6
2
Fork 0
Code Issues 22 Pull Requests Packages Projects Releases Wiki Activity

Zvýšení zabezpečení aplikace #35

New Issue
Open
opened 2026-02-04 14:28:42 +01:00 by batmanisko · 0 comments
batmanisko commented 2026-02-04 14:28:42 +01:00
Member
Copy Link

Feature: Improved Application Security

FeatureRequest enum: SECURITY
Description: Zvýšení zabezpečení aplikace

Implementation Notes

Harden the application security across authentication, input validation, and network layers.

Key files to modify:

  • server/src/auth.ts – Review and strengthen authentication logic
  • server/src/index.ts – Add security middleware (rate limiting, CORS hardening, helmet headers)

Known issues from TODO.md:

  • HTTP_REMOTE_TRUSTED_IPS is never validated – headers are accepted from anywhere
  • When trusted header authentication is enabled, standard login doesn't work (returns no response)
    • The login form should not be accessible in this mode (show a message or redirect instead)

Approach:

  1. Validate HTTP_REMOTE_TRUSTED_IPS – only accept trusted headers from configured IP ranges
  2. Fix standard login when trusted header auth is enabled (proper error response or UI redirect)
  3. Add rate limiting to auth endpoints
  4. Review CORS configuration
  5. Add security headers (helmet or equivalent)
  6. Audit for common vulnerabilities (XSS, injection, CSRF)
## Feature: Improved Application Security **FeatureRequest enum:** `SECURITY` **Description:** Zvýšení zabezpečení aplikace ### Implementation Notes Harden the application security across authentication, input validation, and network layers. **Key files to modify:** - `server/src/auth.ts` – Review and strengthen authentication logic - `server/src/index.ts` – Add security middleware (rate limiting, CORS hardening, helmet headers) **Known issues from TODO.md:** - `HTTP_REMOTE_TRUSTED_IPS` is never validated – headers are accepted from anywhere - When trusted header authentication is enabled, standard login doesn't work (returns no response) - The login form should not be accessible in this mode (show a message or redirect instead) **Approach:** 1. Validate `HTTP_REMOTE_TRUSTED_IPS` – only accept trusted headers from configured IP ranges 2. Fix standard login when trusted header auth is enabled (proper error response or UI redirect) 3. Add rate limiting to auth endpoints 4. Review CORS configuration 5. Add security headers (helmet or equivalent) 6. Audit for common vulnerabilities (XSS, injection, CSRF)
batmanisko added the Vylepšení label 2026-02-04 14:30:15 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Chyba
Dokumentace
Rozvoj
Vylepšení
No Label Vylepšení
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
batmanisko hajek mates Reallag stanekpa strax
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Marbes/Luncher#35
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?