CooperandGoodman/homeschool
1
0
Fork 0
Code Issues Pull Requests Activity

Security hardening: go-live review fixes

Browse Source 
- TV tokens upgraded from 4 to 6 digits; Regen Token button in Admin
- Nginx rate limiting on TV dashboard and WebSocket endpoints
- Login lockout after 5 failed attempts (15 min); clears on admin password reset
- HSTS header added; CSP unsafe-inline removed from script-src; CORS restricted to explicit methods/headers
- Dependency CVE fixes: PyJWT 2.12.0, aiomysql 0.3.0, cryptography 46.0.5, python-multipart 0.0.22
- datetime.utcnow() replaced with datetime.now(timezone.utc) throughout
- SQL identifier whitelist for startup migration queries
- README updated: security notes section, lockout docs, token regen, NPM proxy guidance

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Derek Cooper
2026-03-22 00:00:14 -07:00
parent be86cae7fa
commit 3022bc328b
11 changed files with 228 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/requirements.txt
View File

@@ -1,11 +1,12 @@
fastapi==0.115.0
uvicorn[standard]==0.30.6
sqlalchemy[asyncio]==2.0.35
aiomysql==0.2.0
python-jose[cryptography]==3.3.0
aiomysql==0.3.0
PyJWT==2.12.0
cryptography==46.0.5
passlib[bcrypt]==1.7.4
bcrypt==3.2.2
pydantic-settings==2.5.2
alembic==1.13.3
python-multipart==0.0.12
python-multipart==0.0.22
email-validator==2.2.0