Harden security: CORS, XSS, rate limiting, CSP, SRI

- Lock down CORS to ALLOWED_ORIGINS env var (was wildcard) - Fix admin panel XSS: use data-username attributes instead of interpolating usernames into onclick handlers - Add rate limiting to /api/auth/register (3r/m) and /api/admin/* (10r/m); set limit_req_status 429 - Add Content-Security-Policy header restricting scripts to self and cdn.jsdelivr.net - Add Subresource Integrity hash to Chart.js CDN script tag Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 23:18:33 -07:00
parent 958c409e8e
commit f6cc7a606e
4 changed files with 57 additions and 15 deletions
--- a/nginx/html/index.html
+++ b/nginx/html/index.html
@@ -70,7 +70,7 @@

    </main>

-    <script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.0/dist/chart.umd.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.0/dist/chart.umd.min.js" integrity="sha384-e6nUZLBkQ86NJ6TVVKAeSaK8jWa3NhkYWZFomE39AvDbQWeie9PlQqM3pmYW5d1g" crossorigin="anonymous"></script>
    <script src="/js/api.js?v=4"></script>
    <script src="/js/auth.js?v=4"></script>
    <script src="/js/dashboard.js?v=4"></script>