steve/check-printing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix low-level security issues

Browse Source 
Content-Security-Policy: add header with default-src 'self',
unsafe-inline for styles (needed for JS-generated inline style attrs),
and data: for embedded logo/signature images.

JSON body limit: reduce from 10mb to 2mb (logo cap is 512KB base64).

Session maxAge: now configurable via SESSION_MAX_AGE_HOURS env var
(default 168h / 7 days). Documented in .env.example.

Password strength: centralize validation in auth.js and raise the bar
to 10+ characters with at least one letter and one non-letter. Applied
consistently to all four password-setting paths (initial setup,
login change-password, admin create user, admin edit user).
This commit is contained in:
Steve Dogiakos
2026-03-20 12:25:42 -06:00
parent 2939bfa608
commit bd3e66cd44
4 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+1
View File
@@ -2,5 +2,6 @@
# Generate SESSION_SECRET with: openssl rand -hex 32
SESSION_SECRET=replace-with-a-random-64-character-hex-string
SESSION_MAX_AGE_HOURS=168 # default: 168 (7 days)
PORT=3000
DB_PATH=/app/data/check-printing.db