duffyduck/dyndns-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security-Hardening (Pentest-Findings F-02 bis F-07)

Browse Source 
- CSRF-Schutz: session-gebundenes Token in allen POST-Formularen, serverseitig
  per before_request geprueft; /nic/update ausgenommen (Basic-Auth-API)
- Brute-Force-Schutz: DB-gestuetzter Login-Lockout pro Client-IP
  (5 Fehlversuche -> 15 min), echte IP via ProxyFix/X-Forwarded-For
- SSRF: validate_plesk_url() erzwingt http(s) und blockt Link-Local/Metadata,
  Multicast und reservierte Ziele
- Session-Cookies: HttpOnly, SameSite=Lax, Secure (per Env abschaltbar)
- Security-Header: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Generische Plesk-Fehlermeldungen (keine internen URLs im UI)
- CSS/JS nach static/ ausgelagert -> strikte CSP ohne 'unsafe-inline'
- login_attempts-Tabelle + README-Security-Abschnitt

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Hacker
2026-06-06 14:45:27 +02:00
parent 9c631992af
commit c3070469c1
10 changed files with 233 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/static/css/app.css
+20
View File
@@ -0,0 +1,20 @@
:root { --sidebar-bg: #1e2a38; --sidebar-hover: #2d3f52; }
body { background: #f4f6f9; min-height: 100vh; }
#sidebar {
width: 220px; min-width: 220px; min-height: 100vh;
background: var(--sidebar-bg); color: #cdd6e0;
}
#sidebar .brand { color: #4fc3f7; font-weight: 700; font-size: 1.1rem; }
#sidebar .nav-link {
color: #b0bec5; border-radius: 6px; padding: .5rem .75rem;
margin-bottom: 2px; transition: background .15s;
}
#sidebar .nav-link:hover, #sidebar .nav-link.active {
background: var(--sidebar-hover); color: #fff;
}
#sidebar .nav-link i { width: 1.3em; }
#sidebar hr { border-color: var(--sidebar-hover); }
.main-content { flex: 1; padding: 2rem; min-width: 0; }
.card { border: none; box-shadow: 0 1px 4px rgba(0,0,0,.08); }
.badge-ip { font-family: monospace; font-size: .85em; }
.va-baseline { vertical-align: baseline; }
app/static/css/login.css
+2
View File
@@ -0,0 +1,2 @@
body { background: #1e2a38; min-height: 100vh; display: flex; align-items: center; }
.login-card { width: 100%; max-width: 380px; }
app/static/js/app.js
+10
View File
@@ -0,0 +1,10 @@
// Bestätigungsdialog für Formulare mit data-confirm — ersetzt inline onsubmit,
// damit die CSP ohne 'unsafe-inline' für script-src auskommt.
document.addEventListener('submit', function (e) {
var form = e.target;
if (form && form.dataset && form.dataset.confirm) {
if (!window.confirm(form.dataset.confirm)) {
e.preventDefault();
}
}
});