duffyduck/dyndns-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3070469c152a7ea9413fb14f48909a1dc5c72b6
dyndns-server/app/templates/base.html
T
Stefan Hacker c3070469c1 Security-Hardening (Pentest-Findings F-02 bis F-07) 
- CSRF-Schutz: session-gebundenes Token in allen POST-Formularen, serverseitig
  per before_request geprueft; /nic/update ausgenommen (Basic-Auth-API)
- Brute-Force-Schutz: DB-gestuetzter Login-Lockout pro Client-IP
  (5 Fehlversuche -> 15 min), echte IP via ProxyFix/X-Forwarded-For
- SSRF: validate_plesk_url() erzwingt http(s) und blockt Link-Local/Metadata,
  Multicast und reservierte Ziele
- Session-Cookies: HttpOnly, SameSite=Lax, Secure (per Env abschaltbar)
- Security-Header: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Generische Plesk-Fehlermeldungen (keine internen URLs im UI)
- CSS/JS nach static/ ausgelagert -> strikte CSP ohne 'unsafe-inline'
- login_attempts-Tabelle + README-Security-Abschnitt

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-06 14:45:27 +02:00

58 lines
2.2 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="de">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{% block title %}DynDNS Manager{% endblock %}</title>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
<link rel="stylesheet" href="{{ url_for('static', filename='css/app.css') }}">
</head>
<body class="d-flex">
<nav id="sidebar" class="d-flex flex-column p-3">
<a href="{{ url_for('dashboard') }}" class="brand text-decoration-none mb-4 d-flex align-items-center gap-2">
<i class="bi bi-globe2 fs-5"></i> DynDNS
</a>
<div class="nav flex-column">
<a href="{{ url_for('dashboard') }}"
class="nav-link {% if request.endpoint == 'dashboard' %}active{% endif %}">
<i class="bi bi-speedometer2"></i> Dashboard
</a>
<a href="{{ url_for('users') }}"
class="nav-link {% if request.endpoint in ['users'] %}active{% endif %}">
<i class="bi bi-people-fill"></i> Benutzer
</a>
<a href="{{ url_for('settings') }}"
class="nav-link {% if request.endpoint == 'settings' %}active{% endif %}">
<i class="bi bi-gear-fill"></i> Einstellungen
</a>
</div>
<div class="mt-auto">
<hr>
<small class="text-secondary d-block mb-2 px-2">{{ session.admin_username }}</small>
<a href="{{ url_for('logout') }}" class="nav-link text-danger">
<i class="bi bi-box-arrow-left"></i> Abmelden
</a>
</div>
</nav>
<div class="main-content">
{% with msgs = get_flashed_messages(with_categories=true) %}
{% for cat, msg in msgs %}
<div class="alert alert-{{ cat }} alert-dismissible fade show" role="alert">
{{ msg }}
<button type="button" class="btn-close" data-bs-dismiss="alert"></button>
</div>
{% endfor %}
{% endwith %}
{% block content %}{% endblock %}
</div>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
<script src="{{ url_for('static', filename='js/app.js') }}"></script>
{% block scripts %}{% endblock %}
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink