Hacker-Software
/
opencrm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
opencrm/backend
History
duffyduck 8aead8c2f6 Security-Hardening Runde 3: JWT, trust-proxy, weitere IDORs, Attachment-Härtung 
- JWT-Algorithmus fest auf HS256 (Defense-in-Depth gegen alg-confusion)
- app.set('trust proxy', 1) – Rate-Limiter wirkt jetzt auch hinter Reverse-Proxy
- IDOR-Fix: Invoice-ECD-Endpoints + PDF-Template-Generierung (canAccessContract/ECD)
- Email-Anhang-Download: Content-Type-Safelist, SVG nie inline, nosniff, Filename-CRLF-Sanitize
- Provider/Tariff-GET-Routen: requirePermission('providers:read') (Portal-Kunden raus)
- SMTP-Header-Injection zentral in sendEmail blockiert (schützt alle Caller)
- bcrypt-Cost 10 → 12 (OWASP 2026)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 		2026-04-24 09:38:25 +02:00
..
factory-defaults docs: Factory-Defaults Import/Export-Anleitung in READMEs 2026-04-23 14:19:02 +02:00
prisma Security-Hardening: IDOR-Fixes, XSS-Sanitizer, CORS+Helmet, Data-Exposure 2026-04-23 22:06:16 +02:00
scripts Factory-Defaults: Export + Import von Stammdaten-Katalogen 2026-04-23 14:10:12 +02:00
src Security-Hardening Runde 3: JWT, trust-proxy, weitere IDORs, Attachment-Härtung 2026-04-24 09:38:25 +02:00
uploads save email as pdf like an attachment 2026-02-04 19:18:32 +01:00
.env.example first commit 2026-01-29 01:16:54 +01:00
.gitignore Factory-Defaults: Export + Import von Stammdaten-Katalogen 2026-04-23 14:10:12 +02:00
package-lock.json chore: helmet korrekt in backend/package.json statt Root 2026-04-23 23:02:12 +02:00
package.json chore: helmet korrekt in backend/package.json statt Root 2026-04-23 23:02:12 +02:00
todo.md Security-Hardening Runde 3: JWT, trust-proxy, weitere IDORs, Attachment-Härtung 2026-04-24 09:38:25 +02:00
tsconfig.json first commit 2026-01-29 01:16:54 +01:00