fix: add session auth to SearXNG web search proxy (FINAL-02)

Security audit findings — zero critical/high issues:
- Fixed: SearXNG API proxy was missing session cookie check
- Verified: RPC endpoints use session auth + CSRF tokens + rate limiting
- Verified: Cookies use HttpOnly + SameSite=Strict + Secure (prod)
- Verified: Secrets encrypted with AES-256-GCM, 0600 permissions
- Verified: Container isolation with capability dropping, readonly root
- Verified: Nginx has security headers (CSP, X-Frame-Options, etc.)
- Verified: CORS validates against allowlist (no wildcard)
- Low findings documented: legacy plaintext secret fallback, v-html for TOTP QR

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-11 17:43:25 +00:00
parent 9a81116ca2
commit fc57570a0e
2 changed files with 11 additions and 1 deletions

View File

@@ -398,7 +398,7 @@
- [x] **FINAL-01** — Run final UX audit on every page. Complete UX review of all 20+ pages/views. Fix any remaining inconsistencies. Ensure loading states, error states, and empty states are all polished. **Acceptance**: UX audit passes with no critical issues.
- [ ] **FINAL-02** — Run final security audit. Complete security review of: all 80+ RPC endpoints, nginx configuration, container isolation, secrets management, session handling. Fix any findings. **Acceptance**: Zero critical/high findings.
- [x] **FINAL-02** — Run final security audit. Complete security review of: all 80+ RPC endpoints, nginx configuration, container isolation, secrets management, session handling. Fix any findings. **Acceptance**: Zero critical/high findings.
- [ ] **FINAL-03** — Run final sweep. Execute `/sweep`. All metrics must be at zero violations or documented exceptions. **Acceptance**: Sweep report clean.