Refactor README to streamline development notes and enhance clarity on session management and security practices
This commit is contained in:
parent
206b07c35a
commit
4698361d2f
76
README.md
76
README.md
@ -1,63 +1,25 @@
|
||||
# member-console
|
||||
|
||||
Member console application for users to create, acccess, and manage their accounts associated with the Wiki Cafe MSC.
|
||||
Member console application for users to create, acccess, and manage their accounts associated with the Wiki Cafe MSC (multi-stakeholder co-operative).
|
||||
|
||||
## Development notes:
|
||||
|
||||
- [ ] Implement backchannel logout
|
||||
- [ ] Implement CSRF tokens
|
||||
- [ ] Make sure viper's 'env' key will work correctly in production
|
||||
- [ ] Should session-secret be generated on startup instead of in the config file?
|
||||
|
||||
---
|
||||
|
||||
- All protected pages should include CSRF tokens in forms
|
||||
- Session timeout should match your security policy
|
||||
|
||||
example:
|
||||
```
|
||||
<button hx-get="/api/data" hx-headers='{"X-CSRF-Token": "{{.csrfToken}}"}'>
|
||||
Load Data
|
||||
</button>
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
Session Management:
|
||||
|
||||
- Use SameSite=Lax cookies
|
||||
- Set Secure flag in production
|
||||
- Rotate session secrets regularly
|
||||
|
||||
Error Handling:
|
||||
|
||||
- Custom error pages for 401/403 statuses
|
||||
- Rate limiting on login attempts
|
||||
|
||||
Frontend Security:
|
||||
|
||||
- Content Security Policy (CSP)
|
||||
- XSS protections in all templates
|
||||
- Subresource Integrity (SRI) for CDN assets
|
||||
|
||||
Other:
|
||||
- Back-Channel Logout:
|
||||
- When a user logs out of the application, the application should notify the identity provider to log the user out of the identity provider as well.
|
||||
|
||||
---
|
||||
|
||||
- Secure headers?
|
||||
- Content-Security-Policy
|
||||
- Strict-Transport-Security
|
||||
- X-Content-Type-Options
|
||||
- X-Frame-Options
|
||||
- X-XSS-Protection
|
||||
- Referrer-Policy
|
||||
- Expect-CT
|
||||
- Feature-Policy
|
||||
|
||||
What is this??
|
||||
```
|
||||
w.Header().Set("Clear-Site-Data", `"cookies", "storage"`)
|
||||
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
|
||||
```
|
||||
- [ ] Should session-secret and csrf-secret be generated on startup instead of in the config file? They should be persisted nonetheless. Do they need to be rotated?
|
||||
- [ ] Add remove trailing slash middleware if we start using more custom handlers that don't end with a slash
|
||||
- [ ] Add tests
|
||||
- [ ] CSRF
|
||||
- [ ] Logging
|
||||
- [ ] compression
|
||||
- [ ] recovery
|
||||
- [ ] request ID
|
||||
- [ ] timeout
|
||||
- [ ] secure headers and CORS
|
||||
- [ ] Auth setup sanity check. Review code.
|
||||
- [ ] Remove keycloak specific code
|
||||
- [ ] Implement backchannel logout: When a user logs out of the application, the application should notify the identity provider to log the user out of the identity provider as well.
|
||||
- [ ] Auth session timeout should match security policy
|
||||
- [ ] Rate limiting on login attempts
|
||||
- [ ] Subresource Integrity (SRI) for CDN assets
|
||||
- [ ] Serve HTMX assets not from CDN
|
||||
- [ ] Find out if timeout middleware is actually needed or if net/http handles it
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user