Hacker-Software/simple-web-file-upload
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Harden security, polish admin UI and document Windows WebDAV

Browse Source 
- helmet, express-rate-limit (login/setup/customer-auth/me-password)
- Constant-time login (bcrypt always runs against a dummy hash on miss)
- Cookie secure flag follows req.protocol; trust proxy is env-gated to
  prevent X-Forwarded-For spoofing on direct exposure
- Drop SVG from accepted logo types (same-origin XSS) and resolve the
  served logo path against LOGO_DIR as defense in depth
- Self-service /me/password endpoint plus header button; bumps minimum
  password length to 8 across backend, prompts and edit modal
- Multer 1.x → 2.x for current security backports
- Customer edit modal replaces stacked prompts; user role is now an
  inline dropdown with a confirm-and-revert flow
- Windows .reg helper plus README section for Basic-Auth-over-HTTP and
  the http:// vs \\HOST@PORT\DavWWWRoot\ mapping syntax

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Hacker
2026-04-16 12:53:13 +02:00
parent 3f86fca578
commit 182ef04cc5
7 changed files with 263 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
package.json
+3 -1
View File
@@ -11,7 +11,9 @@
"better-sqlite3": "^11.3.0",
"express": "^4.21.0",
"express-basic-auth": "^1.2.1",
"multer": "^1.4.5-lts.1",
"express-rate-limit": "^7.4.0",
"helmet": "^7.1.0",
"multer": "^2.0.0",
"nanoid": "^3.3.7",
"nodemailer": "^6.9.15"
}