duffyduck/dyndns-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

F-15/F-16/F-17 Security-Header & Logout

Browse Source 
- F-15 CSRF-Logout: /logout nur noch via POST mit CSRF-Token; Sidebar-Link
  ist jetzt ein POST-Formular. Schuetzt vor Cross-Site-Logout (SameSite=Lax
  greift bei Top-Level-GET nicht).
- F-16 SRI: Subresource-Integrity-Hashes (sha384) + crossorigin fuer alle
  CDN-Ressourcen (Bootstrap CSS/JS, Bootstrap-Icons).
- F-17: Permissions-Policy-Header (deaktiviert ungenutzte Browser-Features).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Hacker
2026-06-06 16:25:32 +02:00
parent eca887eadb
commit eccce7e539
5 changed files with 24 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/templates/login.html
+4 -2
View File
@@ -5,8 +5,10 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Login — DynDNS Manager</title>
<link rel="icon" href="{{ url_for('static', filename='favicon.svg') }}" type="image/svg+xml">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css"
integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css"
integrity="sha384-XGjxtQfXaH2tnPFa9x+ruJTuLE3Aa6LhHSWRr1XeTyhezb4abCG4ccI5AkVDxqC+" crossorigin="anonymous">
<link rel="stylesheet" href="{{ url_for('static', filename='css/login.css') }}">
</head>
<body class="justify-content-center">