duffyduck/dyndns-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security-Hardening (Pentest-Findings F-02 bis F-07)

Browse Source 
- CSRF-Schutz: session-gebundenes Token in allen POST-Formularen, serverseitig
  per before_request geprueft; /nic/update ausgenommen (Basic-Auth-API)
- Brute-Force-Schutz: DB-gestuetzter Login-Lockout pro Client-IP
  (5 Fehlversuche -> 15 min), echte IP via ProxyFix/X-Forwarded-For
- SSRF: validate_plesk_url() erzwingt http(s) und blockt Link-Local/Metadata,
  Multicast und reservierte Ziele
- Session-Cookies: HttpOnly, SameSite=Lax, Secure (per Env abschaltbar)
- Security-Header: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Generische Plesk-Fehlermeldungen (keine internen URLs im UI)
- CSS/JS nach static/ ausgelagert -> strikte CSP ohne 'unsafe-inline'
- login_attempts-Tabelle + README-Security-Abschnitt

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Hacker
2026-06-06 14:45:27 +02:00
parent 9c631992af
commit c3070469c1
10 changed files with 233 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/templates/base.html
+3 -21
View File
@@ -6,26 +6,7 @@
<title>{% block title %}DynDNS Manager{% endblock %}</title>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
<style>
:root { --sidebar-bg: #1e2a38; --sidebar-hover: #2d3f52; }
body { background: #f4f6f9; min-height: 100vh; }
#sidebar {
width: 220px; min-width: 220px; min-height: 100vh;
background: var(--sidebar-bg); color: #cdd6e0;
}
#sidebar .brand { color: #4fc3f7; font-weight: 700; font-size: 1.1rem; }
#sidebar .nav-link {
color: #b0bec5; border-radius: 6px; padding: .5rem .75rem;
margin-bottom: 2px; transition: background .15s;
}
#sidebar .nav-link:hover, #sidebar .nav-link.active {
background: var(--sidebar-hover); color: #fff;
}
#sidebar .nav-link i { width: 1.3em; }
.main-content { flex: 1; padding: 2rem; min-width: 0; }
.card { border: none; box-shadow: 0 1px 4px rgba(0,0,0,.08); }
.badge-ip { font-family: monospace; font-size: .85em; }
</style>
<link rel="stylesheet" href="{{ url_for('static', filename='css/app.css') }}">
</head>
<body class="d-flex">
@@ -48,7 +29,7 @@
</a>
</div>
<div class="mt-auto">
<hr style="border-color:#2d3f52">
<hr>
<small class="text-secondary d-block mb-2 px-2">{{ session.admin_username }}</small>
<a href="{{ url_for('logout') }}" class="nav-link text-danger">
<i class="bi bi-box-arrow-left"></i> Abmelden
@@ -70,6 +51,7 @@
</div>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
<script src="{{ url_for('static', filename='js/app.js') }}"></script>
{% block scripts %}{% endblock %}
</body>
</html>
app/templates/login.html
+3 -5
View File
@@ -5,10 +5,8 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Login — DynDNS Manager</title>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css">
<style>
body { background: #1e2a38; min-height: 100vh; display: flex; align-items: center; }
.login-card { width: 100%; max-width: 380px; }
</style>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
<link rel="stylesheet" href="{{ url_for('static', filename='css/login.css') }}">
</head>
<body class="justify-content-center">
<div class="login-card">
@@ -24,6 +22,7 @@
{% endfor %}
{% endwith %}
<form method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="mb-3">
<label class="form-label fw-semibold">Benutzername</label>
<input name="username" type="text" class="form-control" autofocus required>
@@ -37,6 +36,5 @@
</div>
</div>
</div>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
</body>
</html>
app/templates/settings.html
+2
View File
@@ -12,6 +12,7 @@
<div class="card-header fw-semibold">Plesk-Server</div>
<div class="card-body">
<form method="post" action="{{ url_for('settings_plesk') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="mb-3">
<label class="form-label">Plesk URL</label>
<input name="plesk_url" type="url" class="form-control font-monospace"
@@ -57,6 +58,7 @@
<div class="card-header fw-semibold">Admin-Passwort ändern</div>
<div class="card-body">
<form method="post" action="{{ url_for('settings_password') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="mb-3">
<label class="form-label">Aktuelles Passwort</label>
<input name="current_password" type="password" class="form-control" required>
app/templates/users.html
+9 -3
View File
@@ -31,9 +31,10 @@
{% if base_domain %}{{ s.subdomain }}.{{ base_domain }}{% else %}{{ s.subdomain }}{% endif %}
{% if s.current_ip %}<span class="text-muted">· {{ s.current_ip }}</span>{% endif %}
<form method="post" action="{{ url_for('subdomain_delete', subdomain_id=s.id) }}"
class="d-inline" onsubmit="return confirm('Subdomain {{ s.subdomain }} löschen?');">
<button type="submit" class="btn btn-link btn-sm p-0 ms-1 text-danger" title="Subdomain löschen"
style="vertical-align: baseline;"><i class="bi bi-x-lg"></i></button>
class="d-inline" data-confirm="Subdomain {{ s.subdomain }} löschen?">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<button type="submit" class="btn btn-link btn-sm p-0 ms-1 text-danger va-baseline"
title="Subdomain löschen"><i class="bi bi-x-lg"></i></button>
</form>
</span>
{% else %}
@@ -60,6 +61,7 @@
<i class="bi bi-pencil"></i>
</button>
<form method="post" action="{{ url_for('user_toggle', user_id=u.id) }}" class="d-inline">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<button type="submit" class="btn btn-outline-warning" title="Aktivieren/Deaktivieren">
<i class="bi bi-{% if u.active %}pause{% else %}play{% endif %}-fill"></i>
</button>
@@ -82,6 +84,7 @@
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>
</div>
<form method="post" action="{{ url_for('subdomain_add', user_id=u.id) }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="modal-body">
<label class="form-label">Subdomain(s)</label>
<div class="input-group">
@@ -111,6 +114,7 @@
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>
</div>
<form method="post" action="{{ url_for('user_edit', user_id=u.id) }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="modal-body">
<div class="mb-3">
<label class="form-label">DynDNS-Benutzername</label>
@@ -148,6 +152,7 @@
<div class="modal-footer">
<button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Abbrechen</button>
<form method="post" action="{{ url_for('user_delete', user_id=u.id) }}" class="d-inline">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<button type="submit" class="btn btn-danger">Löschen</button>
</form>
</div>
@@ -174,6 +179,7 @@
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>
</div>
<form method="post" action="{{ url_for('user_add') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="modal-body">
<div class="mb-3">
<label class="form-label">DynDNS-Benutzername</label>