From 4698361d2f4286c7605454f2a6fb97dc43729d61 Mon Sep 17 00:00:00 2001 From: Christian Galo Date: Thu, 1 May 2025 02:39:27 -0500 Subject: [PATCH] Refactor README to streamline development notes and enhance clarity on session management and security practices --- README.md | 76 ++++++++++++++----------------------------------------- 1 file changed, 19 insertions(+), 57 deletions(-) diff --git a/README.md b/README.md index 3ed2ef4..cec94e8 100644 --- a/README.md +++ b/README.md @@ -1,63 +1,25 @@ # member-console -Member console application for users to create, acccess, and manage their accounts associated with the Wiki Cafe MSC. +Member console application for users to create, acccess, and manage their accounts associated with the Wiki Cafe MSC (multi-stakeholder co-operative). ## Development notes: -- [ ] Implement backchannel logout -- [ ] Implement CSRF tokens - [ ] Make sure viper's 'env' key will work correctly in production -- [ ] Should session-secret be generated on startup instead of in the config file? - ---- - -- All protected pages should include CSRF tokens in forms -- Session timeout should match your security policy - -example: -``` - -``` - ---- - -Session Management: - -- Use SameSite=Lax cookies -- Set Secure flag in production -- Rotate session secrets regularly - -Error Handling: - -- Custom error pages for 401/403 statuses -- Rate limiting on login attempts - -Frontend Security: - -- Content Security Policy (CSP) -- XSS protections in all templates -- Subresource Integrity (SRI) for CDN assets - -Other: -- Back-Channel Logout: - - When a user logs out of the application, the application should notify the identity provider to log the user out of the identity provider as well. - ---- - -- Secure headers? - - Content-Security-Policy - - Strict-Transport-Security - - X-Content-Type-Options - - X-Frame-Options - - X-XSS-Protection - - Referrer-Policy - - Expect-CT - - Feature-Policy - -What is this?? -``` -w.Header().Set("Clear-Site-Data", `"cookies", "storage"`) -w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains") -``` +- [ ] Should session-secret and csrf-secret be generated on startup instead of in the config file? They should be persisted nonetheless. Do they need to be rotated? +- [ ] Add remove trailing slash middleware if we start using more custom handlers that don't end with a slash +- [ ] Add tests + - [ ] CSRF + - [ ] Logging + - [ ] compression + - [ ] recovery + - [ ] request ID + - [ ] timeout + - [ ] secure headers and CORS +- [ ] Auth setup sanity check. Review code. + - [ ] Remove keycloak specific code + - [ ] Implement backchannel logout: When a user logs out of the application, the application should notify the identity provider to log the user out of the identity provider as well. + - [ ] Auth session timeout should match security policy + - [ ] Rate limiting on login attempts + - [ ] Subresource Integrity (SRI) for CDN assets +- [ ] Serve HTMX assets not from CDN +- [ ] Find out if timeout middleware is actually needed or if net/http handles it