wiki-cafe/member-console
0
0
Fork 0
Code Issues Pull Requests Packages Projects 1 Releases Activity
32 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

member-console

Member console application for users to create, acccess, and manage their accounts associated with the Wiki Cafe MSC.

Development notes:

  • Implement backchannel logout
  • Implement CSRF tokens
  • Make sure viper's 'env' key will work correctly in production
  • Should session-secret be generated on startup instead of in the config file?
  • All protected pages should include CSRF tokens in forms
  • Session timeout should match your security policy

example:

<button hx-get="/api/data" hx-headers='{"X-CSRF-Token": "{{.csrfToken}}"}'>
    Load Data
</button>

Session Management:

  • Use SameSite=Lax cookies
  • Set Secure flag in production
  • Rotate session secrets regularly

Error Handling:

  • Custom error pages for 401/403 statuses
  • Rate limiting on login attempts

Frontend Security:

  • Content Security Policy (CSP)
  • XSS protections in all templates
  • Subresource Integrity (SRI) for CDN assets

Other:

  • Back-Channel Logout:
    • When a user logs out of the application, the application should notify the identity provider to log the user out of the identity provider as well.
  • Secure headers?
    • Content-Security-Policy
    • Strict-Transport-Security
    • X-Content-Type-Options
    • X-Frame-Options
    • X-XSS-Protection
    • Referrer-Policy
    • Expect-CT
    • Feature-Policy

What is this??

w.Header().Set("Clear-Site-Data", `"cookies", "storage"`)
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
Description
Member console application for users to create, acccess, and manage their accounts associated with the Wiki Cafe MSC.
Readme AGPL-3.0 497 KiB
Languages
Go 92.5%
HTML 5.5%
Dockerfile 1.4%
Makefile 0.6%