Security-Hardening (Pentest-Findings F-02 bis F-07)
- CSRF-Schutz: session-gebundenes Token in allen POST-Formularen, serverseitig per before_request geprueft; /nic/update ausgenommen (Basic-Auth-API) - Brute-Force-Schutz: DB-gestuetzter Login-Lockout pro Client-IP (5 Fehlversuche -> 15 min), echte IP via ProxyFix/X-Forwarded-For - SSRF: validate_plesk_url() erzwingt http(s) und blockt Link-Local/Metadata, Multicast und reservierte Ziele - Session-Cookies: HttpOnly, SameSite=Lax, Secure (per Env abschaltbar) - Security-Header: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy - Generische Plesk-Fehlermeldungen (keine internen URLs im UI) - CSS/JS nach static/ ausgelagert -> strikte CSP ohne 'unsafe-inline' - login_attempts-Tabelle + README-Security-Abschnitt Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Hacker
@@ -31,9 +31,10 @@
|
||||
{% if base_domain %}{{ s.subdomain }}.{{ base_domain }}{% else %}{{ s.subdomain }}{% endif %}
|
||||
{% if s.current_ip %}<span class="text-muted">· {{ s.current_ip }}</span>{% endif %}
|
||||
<form method="post" action="{{ url_for('subdomain_delete', subdomain_id=s.id) }}"
|
||||
class="d-inline" onsubmit="return confirm('Subdomain {{ s.subdomain }} löschen?');">
|
||||
<button type="submit" class="btn btn-link btn-sm p-0 ms-1 text-danger" title="Subdomain löschen"
|
||||
style="vertical-align: baseline;"><i class="bi bi-x-lg"></i></button>
|
||||
class="d-inline" data-confirm="Subdomain {{ s.subdomain }} löschen?">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||
<button type="submit" class="btn btn-link btn-sm p-0 ms-1 text-danger va-baseline"
|
||||
title="Subdomain löschen"><i class="bi bi-x-lg"></i></button>
|
||||
</form>
|
||||
</span>
|
||||
{% else %}
|
||||
@@ -60,6 +61,7 @@
|
||||
<i class="bi bi-pencil"></i>
|
||||
</button>
|
||||
<form method="post" action="{{ url_for('user_toggle', user_id=u.id) }}" class="d-inline">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||
<button type="submit" class="btn btn-outline-warning" title="Aktivieren/Deaktivieren">
|
||||
<i class="bi bi-{% if u.active %}pause{% else %}play{% endif %}-fill"></i>
|
||||
</button>
|
||||
@@ -82,6 +84,7 @@
|
||||
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>
|
||||
</div>
|
||||
<form method="post" action="{{ url_for('subdomain_add', user_id=u.id) }}">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||
<div class="modal-body">
|
||||
<label class="form-label">Subdomain(s)</label>
|
||||
<div class="input-group">
|
||||
@@ -111,6 +114,7 @@
|
||||
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>
|
||||
</div>
|
||||
<form method="post" action="{{ url_for('user_edit', user_id=u.id) }}">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||
<div class="modal-body">
|
||||
<div class="mb-3">
|
||||
<label class="form-label">DynDNS-Benutzername</label>
|
||||
@@ -148,6 +152,7 @@
|
||||
<div class="modal-footer">
|
||||
<button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Abbrechen</button>
|
||||
<form method="post" action="{{ url_for('user_delete', user_id=u.id) }}" class="d-inline">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||
<button type="submit" class="btn btn-danger">Löschen</button>
|
||||
</form>
|
||||
</div>
|
||||
@@ -174,6 +179,7 @@
|
||||
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>
|
||||
</div>
|
||||
<form method="post" action="{{ url_for('user_add') }}">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||
<div class="modal-body">
|
||||
<div class="mb-3">
|
||||
<label class="form-label">DynDNS-Benutzername</label>
|
||||
|
||||
Reference in New Issue
Block a user