From 6511f39609b9ae134634a8ebc6642daa533d119b Mon Sep 17 00:00:00 2001 From: "yves.gugger" Date: Fri, 12 Dec 2025 10:27:00 +0100 Subject: [PATCH] docs: add simple security remediation checklist --- README.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/README.md b/README.md index e64976d..cb0d955 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,66 @@ A professional full-stack platform for domain hunters, investors, and portfolio --- +## Security remediation (required) + +This repo previously contained **accidentally committed secrets** (`DEPLOY_backend.env`, `DEPLOY_frontend.env`) and **session cookies** (`backend/data/cookies/session_cookies.json`). The codebase was updated to **Cookie-based auth (HttpOnly)** and the **git history was rewritten** to remove the leaked files. + +### Do this now (simple checklist) + +1) **Rotate ALL secrets (treat old values as compromised)** +- **Backend secrets**: `SECRET_KEY` +- **Stripe**: `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, price IDs if necessary +- **OAuth**: `GOOGLE_CLIENT_SECRET`, `GITHUB_CLIENT_SECRET` (and IDs if you want) +- **Email**: `SMTP_PASSWORD` +- **Other integrations** (if used): `DROPCATCH_CLIENT_SECRET`, `SEDO_SIGN_KEY`, `MOZ_SECRET_KEY` + +Generate a new `SECRET_KEY` locally: + +```bash +python3 -c "import secrets; print(secrets.token_hex(32))" +``` + +2) **Force-push the rewritten history to your remote** + +```bash +git push --force-with-lease --all +git push --force-with-lease --tags +``` + +3) **Re-clone on every server/CI machine** + +Because history changed, **do not** `git pull` on old clones. The simplest safe path: + +```bash +rm -rf pounce +git clone pounce +``` + +4) **Re-deploy** +- **Backend**: `pip install -r backend/requirements.txt` +- **Frontend**: `npm ci && npm run build` + +5) **Quick verification** +- Login now sets an **HttpOnly cookie**: + - `POST /api/v1/auth/login` returns `{ "expires_in": ... }` (no token in JSON) + - `POST /api/v1/auth/logout` clears the cookie + +### Deployment note (keep it simple) + +For the new cookie-auth to “just work”, the recommended setup is: +- **Serve the frontend on your main domain** +- **Route `/api/v1/*` to the backend via reverse proxy** (nginx/caddy/Next rewrite) + +### Env files (important) + +- **Never commit** any of these: + - `DEPLOY_backend.env`, `DEPLOY_frontend.env`, `backend/data/cookies/*.json` +- Use templates: + - `DEPLOY_backend.env.example` → copy to `DEPLOY_backend.env` (local only) + - `DEPLOY_frontend.env.example` → copy to `DEPLOY_frontend.env` (local only) + +--- + ## 🚀 What's New (v2.0) ### User Command Center