littleshop

SilverLABS/littleshop

Fork 0

Commit Graph

Author	SHA1	Message	Date
SysAdmin	d343037bbd	Security: Fix critical vulnerabilities and implement security hardening CRITICAL SECURITY FIXES: - Fixed certificate validation bypass vulnerability in BTCPayServerService * Removed unsafe ServerCertificateCustomValidationCallback * Added environment-specific SSL configuration * Production now enforces proper SSL validation - Fixed overly permissive CORS policy * Replaced AllowAnyOrigin() with specific trusted origins * Created separate CORS policies for Development/Production/API * Configured from appsettings for environment-specific control - Implemented CSRF protection across admin panel * Added [ValidateAntiForgeryToken] to all POST/PUT/DELETE actions * Protected 10 admin controllers with anti-forgery tokens * Prevents Cross-Site Request Forgery attacks CONFIGURATION IMPROVEMENTS: - Created appsettings.Development.json for dev-specific settings - Added Security:AllowInsecureSSL flag (Development only) - Added CORS:AllowedOrigins configuration arrays - Created comprehensive security roadmap (ROADMAP.md) ALSO FIXED: - TeleBot syntax errors (Program.cs, MessageFormatter.cs) - Added enterprise-full-stack-developer output style Impact: All Phase 1 critical security vulnerabilities resolved Status: Ready for security review and deployment preparation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-09-19 11:56:12 +01:00
SysAdmin	6b6961e61a	Test: Verify large payload support after proxy configuration	2025-09-17 17:16:47 +01:00
sysadmin	df71a80eb9	Initial-implementation	2025-08-20 13:20:19 +01:00

Author

SHA1

Message

Date

SysAdmin

d343037bbd

Security: Fix critical vulnerabilities and implement security hardening

CRITICAL SECURITY FIXES:
- Fixed certificate validation bypass vulnerability in BTCPayServerService
  * Removed unsafe ServerCertificateCustomValidationCallback
  * Added environment-specific SSL configuration
  * Production now enforces proper SSL validation

- Fixed overly permissive CORS policy
  * Replaced AllowAnyOrigin() with specific trusted origins
  * Created separate CORS policies for Development/Production/API
  * Configured from appsettings for environment-specific control

- Implemented CSRF protection across admin panel
  * Added [ValidateAntiForgeryToken] to all POST/PUT/DELETE actions
  * Protected 10 admin controllers with anti-forgery tokens
  * Prevents Cross-Site Request Forgery attacks

CONFIGURATION IMPROVEMENTS:
- Created appsettings.Development.json for dev-specific settings
- Added Security:AllowInsecureSSL flag (Development only)
- Added CORS:AllowedOrigins configuration arrays
- Created comprehensive security roadmap (ROADMAP.md)

ALSO FIXED:
- TeleBot syntax errors (Program.cs, MessageFormatter.cs)
- Added enterprise-full-stack-developer output style

Impact: All Phase 1 critical security vulnerabilities resolved
Status: Ready for security review and deployment preparation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-09-19 11:56:12 +01:00

SysAdmin

6b6961e61a

Test: Verify large payload support after proxy configuration

2025-09-17 17:16:47 +01:00

sysadmin

df71a80eb9

Initial-implementation

2025-08-20 13:20:19 +01:00

3 Commits