left4me

297 commits 2 branches 0 tags 4.8 MiB

Author	SHA1	Message	Date
mwiegand	bbb2b983bc	harden(l4d2web): per-username login rate limit alongside per-IP A 20-attempts-per-60s budget keyed by IP doesn't slow a distributed brute force that rotates source IPs. Add a parallel per-username bucket with the same threshold so a single account can't burn through more than 20 failed logins/min regardless of where they come from. Empty usernames aren't bucketed (would DoS the anonymous 401 path). Successful login clears both buckets.	2026-05-14 22:26:20 +02:00
mwiegand	74b7f61437	harden(l4d2web): default security response headers and generic error handlers - after_request hook sets X-Content-Type-Options=nosniff, X-Frame-Options=DENY, Referrer-Policy=strict-origin-when-cross-origin, and a strict CSP (default-src 'self', script-src self+nonce, frame-ancestors 'none', form-action 'self'); HSTS added on secure non-test responses - per-request CSP nonce minted in g.csp_nonce; servers.html's inline showModal script picks it up - 404 and 500 handlers return short plain-text responses so a misbehaving deployment can't leak tracebacks via Werkzeug's debug page	2026-05-14 22:21:36 +02:00
mwiegand	288eda7c37	chore(l4d2): flatten component layout	2026-05-05 23:47:06 +02:00

Author

SHA1

Message

Date

mwiegand

bbb2b983bc

harden(l4d2web): per-username login rate limit alongside per-IP

A 20-attempts-per-60s budget keyed by IP doesn't slow a distributed brute force that rotates source IPs. Add a parallel per-username bucket with the same threshold so a single account can't burn through more than 20 failed logins/min regardless of where they come from. Empty usernames aren't bucketed (would DoS the anonymous 401 path). Successful login clears both buckets.

2026-05-14 22:26:20 +02:00

mwiegand

74b7f61437

harden(l4d2web): default security response headers and generic error handlers

- after_request hook sets X-Content-Type-Options=nosniff, X-Frame-Options=DENY, Referrer-Policy=strict-origin-when-cross-origin, and a strict CSP (default-src 'self', script-src self+nonce, frame-ancestors 'none', form-action 'self'); HSTS added on secure non-test responses
- per-request CSP nonce minted in g.csp_nonce; servers.html's inline showModal script picks it up
- 404 and 500 handlers return short plain-text responses so a misbehaving deployment can't leak tracebacks via Werkzeug's debug page

2026-05-14 22:21:36 +02:00

mwiegand

288eda7c37

chore(l4d2): flatten component layout

2026-05-05 23:47:06 +02:00

Renamed from components/l4d2-web-app/tests/test_security.py (Browse further)

3 commits