Security Hardening: Phase 1-3 complete
- C1: Hash refresh tokens before DB storage (sha256) - C2: Remove JWT_SECRET fallback, fail hard if missing - H1: Enforce HTTP methods per route (405 on mismatch) - H2: CORS with origin whitelist from CORS_ORIGIN env var - H3: Redact sensitive fields (tokens, passwords) from logs - M1: Build HmacMiddleware with replay attack prevention - M2: Fix rate limiter race condition with flock LOCK_EX - M3: Guard dd() — suppressed in production - M4: Remove .env from git tracking, strengthen .gitignore - I1: Add HSTS header (max-age=31536000)
This commit is contained in:
Hamza-Ayed
11
.gitignore
vendored
11
.gitignore
vendored
@@ -1,12 +1,21 @@
|
||||
# Secrets — NEVER commit these
|
||||
.env
|
||||
.env.*
|
||||
config/secrets.php
|
||||
|
||||
# Storage — runtime data, not code
|
||||
storage/invoices/
|
||||
storage/logs/
|
||||
storage/exports/
|
||||
storage/cache/
|
||||
|
||||
# Dependencies
|
||||
vendor/
|
||||
node_modules/
|
||||
|
||||
# Dev tools
|
||||
scratch.js
|
||||
describe.php
|
||||
.DS_Store
|
||||
.idea/
|
||||
.vscode/
|
||||
node_modules/
|
||||
|
||||
Reference in New Issue
Block a user