yvg/pounce
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

docs: add simple security remediation checklist

Browse Source
This commit is contained in:
yves.gugger
2025-12-12 10:27:00 +01:00
parent 5d7bd1a04f
commit 6511f39609
1 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
README.md
View File

@ -4,6 +4,66 @@ A professional full-stack platform for domain hunters, investors, and portfolio
---
## Security remediation (required)
This repo previously contained **accidentally committed secrets** (`DEPLOY_backend.env`, `DEPLOY_frontend.env`) and **session cookies** (`backend/data/cookies/session_cookies.json`). The codebase was updated to **Cookie-based auth (HttpOnly)** and the **git history was rewritten** to remove the leaked files.
### Do this now (simple checklist)
1) **Rotate ALL secrets (treat old values as compromised)**
- **Backend secrets**: `SECRET_KEY`
- **Stripe**: `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, price IDs if necessary
- **OAuth**: `GOOGLE_CLIENT_SECRET`, `GITHUB_CLIENT_SECRET` (and IDs if you want)
- **Email**: `SMTP_PASSWORD`
- **Other integrations** (if used): `DROPCATCH_CLIENT_SECRET`, `SEDO_SIGN_KEY`, `MOZ_SECRET_KEY`
Generate a new `SECRET_KEY` locally:
```bash
python3 -c "import secrets; print(secrets.token_hex(32))"
```
2) **Force-push the rewritten history to your remote**
```bash
git push --force-with-lease --all
git push --force-with-lease --tags
```
3) **Re-clone on every server/CI machine**
Because history changed, **do not** `git pull` on old clones. The simplest safe path:
```bash
rm -rf pounce
git clone <your-repo> pounce
```
4) **Re-deploy**
- **Backend**: `pip install -r backend/requirements.txt`
- **Frontend**: `npm ci && npm run build`
5) **Quick verification**
- Login now sets an **HttpOnly cookie**:
- `POST /api/v1/auth/login` returns `{ "expires_in": ... }` (no token in JSON)
- `POST /api/v1/auth/logout` clears the cookie
### Deployment note (keep it simple)
For the new cookie-auth to “just work”, the recommended setup is:
- **Serve the frontend on your main domain**
- **Route `/api/v1/*` to the backend via reverse proxy** (nginx/caddy/Next rewrite)
### Env files (important)
- **Never commit** any of these:
- `DEPLOY_backend.env`, `DEPLOY_frontend.env`, `backend/data/cookies/*.json`
- Use templates:
- `DEPLOY_backend.env.example` → copy to `DEPLOY_backend.env` (local only)
- `DEPLOY_frontend.env.example` → copy to `DEPLOY_frontend.env` (local only)
---
## 🚀 What's New (v2.0)
### User Command Center