Add security hardening, captcha login, and password reset via email
- .htaccess: HTTPS enforcement, security headers, block sensitive files - data/.htaccess: deny all direct access to data directory - Secure session settings (httponly, secure, strict mode, samesite) - Rate limiting on login (10 attempts per 15 min per IP) - Math captcha on login form (server-side validated) - Password reset via email with token (1 hour expiry) - Forgot password UI with reset link flow - Email field added to user management - Updated .gitignore for reset_tokens.json and login_attempts.json Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
20
.htaccess
Normal file
20
.htaccess
Normal file
@@ -0,0 +1,20 @@
|
||||
# HTTPS-pakotus
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTPS} off
|
||||
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
|
||||
|
||||
# Tietoturvaotsikot
|
||||
Header always set X-Content-Type-Options "nosniff"
|
||||
Header always set X-Frame-Options "DENY"
|
||||
Header always set X-XSS-Protection "1; mode=block"
|
||||
Header always set Referrer-Policy "strict-origin-when-cross-origin"
|
||||
|
||||
# Estä pääsy piilotiedostoihin
|
||||
<FilesMatch "^\.">
|
||||
Deny from all
|
||||
</FilesMatch>
|
||||
|
||||
# Estä pääsy server.py ja muihin ei-web-tiedostoihin
|
||||
<FilesMatch "\.(py|json|md|gitignore)$">
|
||||
Deny from all
|
||||
</FilesMatch>
|
||||
Reference in New Issue
Block a user