Hartmut
f8550110eb
security: fix 4 OWASP quick-wins from audit round 2
A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false"
via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in
non-test deployments. runtime-env.ts throws at startup if
E2E_TEST_MODE=true in production.
A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET
is unset. Extracted shared verifyCronSecret() helper to
apps/web/src/lib/cron-auth.ts.
A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for
constant-time Bearer token comparison.
A10-1 (Medium): Slack webhook routing uses strict hostname check
(parsedUrl.hostname === "hooks.slack.com") instead of .includes()
to prevent bypass via subdomain confusion.
Tickets created for remaining findings: #28 (TOTP rate limit),
#29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin
creds), #32 (MFA enforcement), #33 (auth anomaly alerting),
#34 (comment server-side sanitization).
Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 22:57:51 +02:00
..
2026-03-30 19:17:32 +02:00
2026-03-30 00:27:31 +02:00
2026-03-28 22:49:28 +01:00
2026-03-27 13:18:09 +01:00
2026-04-01 07:42:03 +02:00
2026-03-28 22:49:28 +01:00
2026-03-30 18:50:36 +02:00
2026-03-27 16:23:33 +01:00
2026-03-22 21:50:39 +01:00
2026-03-30 19:17:32 +02:00
2026-03-22 21:50:39 +01:00
2026-03-19 00:10:08 +01:00
2026-03-28 22:49:28 +01:00
2026-03-28 22:49:28 +01:00
2026-03-27 14:16:39 +01:00
2026-03-28 22:49:28 +01:00
2026-03-27 13:18:09 +01:00
2026-03-27 16:23:33 +01:00
2026-03-19 21:39:05 +01:00
2026-03-31 22:36:53 +02:00
2026-03-31 22:38:02 +02:00
2026-03-29 12:47:12 +02:00
2026-03-28 22:49:28 +01:00
2026-03-20 06:57:20 +01:00
2026-04-01 18:19:21 +02:00
2026-03-30 19:55:06 +02:00
2026-03-27 13:18:09 +01:00
2026-03-27 13:18:09 +01:00
2026-03-28 22:49:28 +01:00
2026-03-31 22:42:00 +02:00
2026-04-01 22:57:51 +02:00