elpatron/kapteins-daagbok
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

feat(security): Session-Cookies statt X-User-Id und API-Härtung

Browse Source 
Ersetzt die spoofbare X-User-Id-Auth durch signierte HttpOnly-Sessions nach
WebAuthn, erzwingt WRITE-only Sync, speichert den Master-Key nur im RAM und
ergänzt CORS, Rate-Limits, Helmet sowie Passkey-Reauth für sensible Aktionen.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
elpatron
2026-05-30 13:47:24 +02:00
parent 4f3f530f1f
commit dea33e3f00
33 changed files with 657 additions and 397 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/start-dev-docker.sh
+1
View File
@@ -44,6 +44,7 @@ if [ "$IS_READY" = true ]; then
echo "SUCCESS: Services are up and healthy!"
echo " -> App Frontend (Nginx): http://localhost"
echo " -> Backend API Health: http://localhost/api/health"
echo " -> Auth: session cookie (set ORIGIN=http://localhost, SESSION_SECRET in .env)"
echo "=================================================="
else
echo "WARNING: Backend did not transition to healthy in time."