Kyle Pope 20d0c2ff57 Fix pentest findings: Cache-Control, SSRF save-time validation, Permissions-Policy ...

L-01: Add Cache-Control: no-store to all /api/ responses via nginx
L-02: Validate ntfy_server_url against blocked networks at save time
I-03: Add Permissions-Policy header to restrict unused browser APIs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-03 17:52:28 +08:00

..

__init__.py

Initial commit

2026-02-15 16:13:41 +08:00

admin.py

Fix missing date_of_birth in admin user detail API response

2026-03-03 01:42:06 +08:00

auth.py

Add required email + date of birth to registration, shared validators, partial index

2026-03-02 19:21:11 +08:00

calendars.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

dashboard.py

Fix TS build errors and apply remaining QA fixes

2026-02-27 04:42:23 +08:00

event_templates.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

events.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

locations.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

people.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

projects.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

reminders.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

settings.py

Fix pentest findings: Cache-Control, SSRF save-time validation, Permissions-Policy

2026-03-03 17:52:28 +08:00

todos.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

totp.py

Extract real client IP from proxy headers instead of Docker bridge IP

2026-03-01 19:20:07 +08:00

weather.py

Fix QA review #2: W-03/W-04, S-01 through S-04

2026-02-27 05:41:16 +08:00