phase 16 implementation
This commit is contained in:
@@ -0,0 +1,25 @@
|
||||
# Phase 14 Security Review
|
||||
|
||||
## Implemented controls
|
||||
|
||||
- Strict allowlisted request and guard schemas with unknown-field rejection.
|
||||
- POST-only route handler with JSON content-type enforcement.
|
||||
- 16 KiB declared and measured request-size limits.
|
||||
- Same-origin or approved-origin validation.
|
||||
- Custom request marker to force non-simple cross-origin requests through browser preflight.
|
||||
- Server-side enum, length, locale, source, and UUID validation.
|
||||
- HTML rendering remains React-escaped; external errors are never rendered.
|
||||
- Adapter calls are bounded by `AbortController` timeout.
|
||||
- Duplicate transport is coalesced by idempotency key.
|
||||
- Production secrets have no public environment variable.
|
||||
- Local/test adapters are blocked in deployed production configuration.
|
||||
- No raw request body, form value, vendor response, or stack trace is logged or returned.
|
||||
- No external URL or redirect destination is active.
|
||||
|
||||
## Deliberately unresolved
|
||||
|
||||
A production-grade distributed idempotency store, rate limiting, retry policy, CRM authentication, webhook verification, replay policy, vendor scopes, email-header defense, scheduler origin policy, and operational alerting depend on the selected service and architecture. They remain release gates rather than fake generic implementations.
|
||||
|
||||
## Residual risk
|
||||
|
||||
The local in-memory idempotency coordinator is process-local and exists only to test the boundary. It is not suitable for horizontally scaled production. The honeypot is proportionate for local testing but is not a complete abuse control. Dynamic security testing, dependency audit, browser CSP validation, and penetration review remain open because dependencies and browsers could not be executed in this environment.
|
||||
Reference in New Issue
Block a user