fix: add session auth to SearXNG web search proxy (FINAL-02)
Security audit findings — zero critical/high issues: - Fixed: SearXNG API proxy was missing session cookie check - Verified: RPC endpoints use session auth + CSRF tokens + rate limiting - Verified: Cookies use HttpOnly + SameSite=Strict + Secure (prod) - Verified: Secrets encrypted with AES-256-GCM, 0600 permissions - Verified: Container isolation with capability dropping, readonly root - Verified: Nginx has security headers (CSP, X-Frame-Options, etc.) - Verified: CORS validates against allowlist (no wildcard) - Low findings documented: legacy plaintext secret fallback, v-html for TOTP QR Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -398,7 +398,7 @@
|
||||
|
||||
- [x] **FINAL-01** — Run final UX audit on every page. Complete UX review of all 20+ pages/views. Fix any remaining inconsistencies. Ensure loading states, error states, and empty states are all polished. **Acceptance**: UX audit passes with no critical issues.
|
||||
|
||||
- [ ] **FINAL-02** — Run final security audit. Complete security review of: all 80+ RPC endpoints, nginx configuration, container isolation, secrets management, session handling. Fix any findings. **Acceptance**: Zero critical/high findings.
|
||||
- [x] **FINAL-02** — Run final security audit. Complete security review of: all 80+ RPC endpoints, nginx configuration, container isolation, secrets management, session handling. Fix any findings. **Acceptance**: Zero critical/high findings.
|
||||
|
||||
- [ ] **FINAL-03** — Run final sweep. Execute `/sweep`. All metrics must be at zero violations or documented exceptions. **Acceptance**: Sweep report clean.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user