nessi/NexaPantry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
15d47d49bfb0c5b68bbebcce20a05fa28ba79d44
NexaPantry/docs/security.md
nessi 3792ca55e7
Some checks failed
CI / backend (push) Failing after 31s
Details
CI / frontend (push) Successful in 40s
Details
CI / docker (push) Has been skipped
Details
chore: initial project setup with backend, frontend, and infrastructure 
Add complete NexaPantry application structure including:
- Docker Compose configuration with PostgreSQL, Redis, FastAPI backend, worker, frontend and Caddy
- Environment configuration template with database, auth, and service settings
- GitHub Actions CI workflow for backend/frontend linting, testing, auditing and Docker builds
- AGPL-3.0 license and comprehensive README with setup, development, and security documentation
- Backend
2026-06-04 10:26:38 +02:00

796 B
Raw Blame History

Security Checklist

  • Passwords: Argon2id via Passlib.
  • Session: HttpOnly SameSite cookies with JWT payloads.
  • CSRF: double-submit token for unsafe API methods.
  • Tokens: invitation and reset tokens are random, expiring and stored as SHA-256 hashes.
  • SMTP secret: encrypted with Fernet.
  • CORS: explicit allowed origins only.
  • CSP: set by Caddy for the frontend surface.
  • IDOR: home-scoped APIs verify membership.
  • SQL injection: SQLAlchemy query builder and parameter binding.
  • Audit logs: admin and sensitive actions are recorded without secrets.
  • Rate limits: login, invite and reset-sensitive endpoints are throttled.

Recommended external tools:

pip-audit
bandit -r backend/app
npm audit --audit-level=moderate
gitleaks detect --source .
trivy fs .
trivy image <image>
Reference in New Issue View Git Blame Copy Permalink