docs: add simple security remediation checklist
This commit is contained in:
yves.gugger
60
README.md
60
README.md
@ -4,6 +4,66 @@ A professional full-stack platform for domain hunters, investors, and portfolio
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
## Security remediation (required)
|
||||||
|
|
||||||
|
This repo previously contained **accidentally committed secrets** (`DEPLOY_backend.env`, `DEPLOY_frontend.env`) and **session cookies** (`backend/data/cookies/session_cookies.json`). The codebase was updated to **Cookie-based auth (HttpOnly)** and the **git history was rewritten** to remove the leaked files.
|
||||||
|
|
||||||
|
### Do this now (simple checklist)
|
||||||
|
|
||||||
|
1) **Rotate ALL secrets (treat old values as compromised)**
|
||||||
|
- **Backend secrets**: `SECRET_KEY`
|
||||||
|
- **Stripe**: `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, price IDs if necessary
|
||||||
|
- **OAuth**: `GOOGLE_CLIENT_SECRET`, `GITHUB_CLIENT_SECRET` (and IDs if you want)
|
||||||
|
- **Email**: `SMTP_PASSWORD`
|
||||||
|
- **Other integrations** (if used): `DROPCATCH_CLIENT_SECRET`, `SEDO_SIGN_KEY`, `MOZ_SECRET_KEY`
|
||||||
|
|
||||||
|
Generate a new `SECRET_KEY` locally:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
python3 -c "import secrets; print(secrets.token_hex(32))"
|
||||||
|
```
|
||||||
|
|
||||||
|
2) **Force-push the rewritten history to your remote**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git push --force-with-lease --all
|
||||||
|
git push --force-with-lease --tags
|
||||||
|
```
|
||||||
|
|
||||||
|
3) **Re-clone on every server/CI machine**
|
||||||
|
|
||||||
|
Because history changed, **do not** `git pull` on old clones. The simplest safe path:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
rm -rf pounce
|
||||||
|
git clone <your-repo> pounce
|
||||||
|
```
|
||||||
|
|
||||||
|
4) **Re-deploy**
|
||||||
|
- **Backend**: `pip install -r backend/requirements.txt`
|
||||||
|
- **Frontend**: `npm ci && npm run build`
|
||||||
|
|
||||||
|
5) **Quick verification**
|
||||||
|
- Login now sets an **HttpOnly cookie**:
|
||||||
|
- `POST /api/v1/auth/login` returns `{ "expires_in": ... }` (no token in JSON)
|
||||||
|
- `POST /api/v1/auth/logout` clears the cookie
|
||||||
|
|
||||||
|
### Deployment note (keep it simple)
|
||||||
|
|
||||||
|
For the new cookie-auth to “just work”, the recommended setup is:
|
||||||
|
- **Serve the frontend on your main domain**
|
||||||
|
- **Route `/api/v1/*` to the backend via reverse proxy** (nginx/caddy/Next rewrite)
|
||||||
|
|
||||||
|
### Env files (important)
|
||||||
|
|
||||||
|
- **Never commit** any of these:
|
||||||
|
- `DEPLOY_backend.env`, `DEPLOY_frontend.env`, `backend/data/cookies/*.json`
|
||||||
|
- Use templates:
|
||||||
|
- `DEPLOY_backend.env.example` → copy to `DEPLOY_backend.env` (local only)
|
||||||
|
- `DEPLOY_frontend.env.example` → copy to `DEPLOY_frontend.env` (local only)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## 🚀 What's New (v2.0)
|
## 🚀 What's New (v2.0)
|
||||||
|
|
||||||
### User Command Center
|
### User Command Center
|
||||||
|
|||||||
Reference in New Issue
Block a user