Add security hardening, captcha login, and password reset via email
- .htaccess: HTTPS enforcement, security headers, block sensitive files - data/.htaccess: deny all direct access to data directory - Secure session settings (httponly, secure, strict mode, samesite) - Rate limiting on login (10 attempts per 15 min per IP) - Math captcha on login form (server-side validated) - Password reset via email with token (1 hour expiry) - Forgot password UI with reset link flow - Email field added to user management - Updated .gitignore for reset_tokens.json and login_attempts.json Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2
.gitignore
vendored
2
.gitignore
vendored
@@ -2,5 +2,7 @@ data/customers.json
|
||||
data/users.json
|
||||
data/changelog.json
|
||||
data/archive.json
|
||||
data/reset_tokens.json
|
||||
data/login_attempts.json
|
||||
data/backups/
|
||||
data/files/
|
||||
|
||||
Reference in New Issue
Block a user