UMBRA

rohskiddo/UMBRA

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Pope	fee454fc33	Fix 503s behind reverse proxy: add uvicorn --proxy-headers FastAPI trailing-slash redirects (307) were using http:// instead of https:// because uvicorn wasn't reading X-Forwarded-Proto from the reverse proxy. When Pangolin (TLS-terminating proxy) received the http:// redirect it returned 503, breaking all list endpoints (/events, /calendars, /settings, /projects, /people, /locations). Adding --proxy-headers makes uvicorn honour X-Forwarded-Proto so redirects use the correct scheme. --forwarded-allow-ips '*' trusts headers from any IP since nginx sits on the Docker bridge network. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-02 17:17:39 +08:00
Kyle Pope	f372e7bd99	Harden infrastructure: address 7 pentest findings - Remove external backend port 8000 exposure (VULN-01) - Conditionally disable Swagger/ReDoc/OpenAPI in non-dev (VULN-01) - Suppress nginx and uvicorn server version headers (VULN-07) - Fix CSP to allow Google Fonts (fonts.googleapis.com/gstatic) (VULN-08) - Add nginx rate limiting on auth endpoints (10r/m burst=5) (VULN-09) - Block dotfile access (/.env, /.git) while preserving .well-known (VULN-10) - Make CORS origins configurable, tighten methods/headers (VULN-11) - Run both containers as non-root users (VULN-12) - Add IP rate limit + account lockout to /change-password Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-25 19:57:29 +08:00
Kyle Pope	1f6519635f	Initial commit	2026-02-15 16:13:41 +08:00

Author

SHA1

Message

Date

Kyle Pope

fee454fc33

Fix 503s behind reverse proxy: add uvicorn --proxy-headers

FastAPI trailing-slash redirects (307) were using http:// instead of
https:// because uvicorn wasn't reading X-Forwarded-Proto from the
reverse proxy. When Pangolin (TLS-terminating proxy) received the
http:// redirect it returned 503, breaking all list endpoints
(/events, /calendars, /settings, /projects, /people, /locations).

Adding --proxy-headers makes uvicorn honour X-Forwarded-Proto so
redirects use the correct scheme. --forwarded-allow-ips '*' trusts
headers from any IP since nginx sits on the Docker bridge network.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-02 17:17:39 +08:00

Kyle Pope

f372e7bd99

Harden infrastructure: address 7 pentest findings

- Remove external backend port 8000 exposure (VULN-01)
- Conditionally disable Swagger/ReDoc/OpenAPI in non-dev (VULN-01)
- Suppress nginx and uvicorn server version headers (VULN-07)
- Fix CSP to allow Google Fonts (fonts.googleapis.com/gstatic) (VULN-08)
- Add nginx rate limiting on auth endpoints (10r/m burst=5) (VULN-09)
- Block dotfile access (/.env, /.git) while preserving .well-known (VULN-10)
- Make CORS origins configurable, tighten methods/headers (VULN-11)
- Run both containers as non-root users (VULN-12)
- Add IP rate limit + account lockout to /change-password

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-25 19:57:29 +08:00

Kyle Pope

1f6519635f

Initial commit

2026-02-15 16:13:41 +08:00

3 Commits