Jukka Lampikoski
8a07689a1f
- .htaccess: HTTPS enforcement, security headers, block sensitive files - data/.htaccess: deny all direct access to data directory - Secure session settings (httponly, secure, strict mode, samesite) - Rate limiting on login (10 attempts per 15 min per IP) - Math captcha on login form (server-side validated) - Password reset via email with token (1 hour expiry) - Forgot password UI with reset link flow - Email field added to user management - Updated .gitignore for reset_tokens.json and login_attempts.json Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
21 lines
570 B
ApacheConf
21 lines
570 B
ApacheConf
# HTTPS-pakotus
|
|
RewriteEngine On
|
|
RewriteCond %{HTTPS} off
|
|
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
|
|
|
|
# Tietoturvaotsikot
|
|
Header always set X-Content-Type-Options "nosniff"
|
|
Header always set X-Frame-Options "DENY"
|
|
Header always set X-XSS-Protection "1; mode=block"
|
|
Header always set Referrer-Policy "strict-origin-when-cross-origin"
|
|
|
|
# Estä pääsy piilotiedostoihin
|
|
<FilesMatch "^\.">
|
|
Deny from all
|
|
</FilesMatch>
|
|
|
|
# Estä pääsy server.py ja muihin ei-web-tiedostoihin
|
|
<FilesMatch "\.(py|json|md|gitignore)$">
|
|
Deny from all
|
|
</FilesMatch>
|