SysAdmin
d343037bbd
CRITICAL SECURITY FIXES: - Fixed certificate validation bypass vulnerability in BTCPayServerService * Removed unsafe ServerCertificateCustomValidationCallback * Added environment-specific SSL configuration * Production now enforces proper SSL validation - Fixed overly permissive CORS policy * Replaced AllowAnyOrigin() with specific trusted origins * Created separate CORS policies for Development/Production/API * Configured from appsettings for environment-specific control - Implemented CSRF protection across admin panel * Added [ValidateAntiForgeryToken] to all POST/PUT/DELETE actions * Protected 10 admin controllers with anti-forgery tokens * Prevents Cross-Site Request Forgery attacks CONFIGURATION IMPROVEMENTS: - Created appsettings.Development.json for dev-specific settings - Added Security:AllowInsecureSSL flag (Development only) - Added CORS:AllowedOrigins configuration arrays - Created comprehensive security roadmap (ROADMAP.md) ALSO FIXED: - TeleBot syntax errors (Program.cs, MessageFormatter.cs) - Added enterprise-full-stack-developer output style Impact: All Phase 1 critical security vulnerabilities resolved Status: Ready for security review and deployment preparation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
22 lines
425 B
JSON
22 lines
425 B
JSON
{
|
|
"Logging": {
|
|
"LogLevel": {
|
|
"Default": "Debug",
|
|
"Microsoft.AspNetCore": "Debug",
|
|
"LittleShop": "Debug"
|
|
}
|
|
},
|
|
"Security": {
|
|
"AllowInsecureSSL": true,
|
|
"EnableDetailedErrors": true
|
|
},
|
|
"CORS": {
|
|
"AllowedOrigins": [
|
|
"http://localhost:3000",
|
|
"http://localhost:5173",
|
|
"http://localhost:5000",
|
|
"http://localhost:5001",
|
|
"https://localhost:5001"
|
|
]
|
|
}
|
|
} |