rohskiddo/UMBRA
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix QA review findings: update docs and comments

Browse Source 
- W-01: Update README.md security section to reflect removed in-memory
  rate limiter and add /setup to nginx rate-limited endpoint list
- W-02: Replace misleading ALLOW_LAN_NTFY reference with actionable
  guidance to edit _BLOCKED_NETWORKS directly
- S-04: Add comment explaining burst=3 on /api/auth/setup vs burst=5

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle 2026-02-26 02:42:59 +08:00
parent a0b50a2b13
commit 92efeba2ec
3 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -111,8 +111,8 @@ A self-hosted personal life administration app with a dark-themed UI. Manage you
- **Non-root containers** — both backend (`appuser:1000`) and frontend (`nginx-unprivileged`) run as non-root - **Non-root containers** — both backend (`appuser:1000`) and frontend (`nginx-unprivileged`) run as non-root
- **No external backend port** — port 8000 is internal-only; all traffic flows through nginx - **No external backend port** — port 8000 is internal-only; all traffic flows through nginx
- **Server version suppression**`server_tokens off` (nginx) and `--no-server-header` (uvicorn) - **Server version suppression**`server_tokens off` (nginx) and `--no-server-header` (uvicorn)
- **Rate limiting** — nginx `limit_req_zone` (10 req/min, burst=5) on `/api/auth/login`, `/verify-password`, `/change-password`, `/totp-verify` - **Rate limiting** — nginx `limit_req_zone` (10 req/min) on `/api/auth/login` (burst=5), `/verify-password` (burst=5), `/change-password` (burst=5), `/totp-verify` (burst=5), `/setup` (burst=3)
- **Application-level rate limiting** — in-memory IP-based rate limit (5 attempts / 5 min) + DB-backed account lockout (10 failures = 30-min lock) - **DB-backed account lockout** — 10 failed attempts triggers 30-minute lock per account
- **Dotfile blocking**`/.env`, `/.git/config`, etc. return 404 (`.well-known` preserved for ACME) - **Dotfile blocking**`/.env`, `/.git/config`, etc. return 404 (`.well-known` preserved for ACME)
- **CSP headers** — Content-Security-Policy on all responses, scoped for Google Fonts - **CSP headers** — Content-Security-Policy on all responses, scoped for Google Fonts
- **CORS** — configurable origins with explicit method/header allowlists - **CORS** — configurable origins with explicit method/header allowlists

2
backend/app/services/ntfy.py
View File

@ -19,7 +19,7 @@ NTFY_TIMEOUT = 8.0 # seconds — hard cap to prevent hung requests
# Loopback, link-local, and all RFC 1918 private ranges are blocked to prevent # Loopback, link-local, and all RFC 1918 private ranges are blocked to prevent
# SSRF against Docker-internal services. If a self-hosted ntfy server on the LAN # SSRF against Docker-internal services. If a self-hosted ntfy server on the LAN
# is required, set ALLOW_LAN_NTFY=true in .env and document the accepted risk. # is required, remove the RFC 1918 entries from _BLOCKED_NETWORKS and document the accepted risk.
_BLOCKED_NETWORKS = [ _BLOCKED_NETWORKS = [
ipaddress.ip_network("127.0.0.0/8"), # IPv4 loopback ipaddress.ip_network("127.0.0.0/8"), # IPv4 loopback
ipaddress.ip_network("10.0.0.0/8"), # RFC 1918 private ipaddress.ip_network("10.0.0.0/8"), # RFC 1918 private

1
frontend/nginx.conf
View File

@ -47,6 +47,7 @@ server {
} }
location /api/auth/setup { location /api/auth/setup {
# Tighter burst: setup is one-time-only, 3 attempts is sufficient
limit_req zone=auth_limit burst=3 nodelay; limit_req zone=auth_limit burst=3 nodelay;
limit_req_status 429; limit_req_status 429;
include /etc/nginx/proxy-params.conf; include /etc/nginx/proxy-params.conf;