till/cards
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
cards/apps
History
Till JS 5a29dd9a8c
Some checks are pending
CI / validate (push) Waiting to run
Details
security(cards): CSP report-only + service-key rotation playbook 
Folge-Hardening zu e1ddbf3, Cluster A2+A3 aus FEATURE_IDEAS.

* hooks.server.ts: restriktive CSP im Report-Only-Modus
  (default-src 'self', script-src 'self', connect-src whitelist
  auf cardecky-api/auth.mana.how/share/mcp). CARDS_CSP_ENFORCE=true
  flippt auf den scharfen Header.
* docs/playbooks/SERVICE_KEY_ROTATION.md: 5-Schritt-Rotation für
  CARDS_DSGVO_SERVICE_KEY bis Phase F-1 (mana-auth-managed Keys).

Forensik der Bypass-Periode 2026-05-08 → 2026-05-12 ist abgeschlossen:
nur 2 user_ids in der Cards-DB, beide legitim (tills95@gmail.com +
Smoke-Test-Sentinel c1a5, letztere via DSGVO-Endpoint aufgeräumt).
Kein ausgenutzter Bypass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:40:29 +02:00
..
api security(cards): fail-secure dev-stub, headers, rate-limit, dsgvo audit 2026-05-12 16:56:03 +02:00
landing feat(landing): Astro-Landingpage für Cardecky 2026-05-11 18:40:51 +02:00
web security(cards): CSP report-only + service-key rotation playbook 2026-05-12 18:40:29 +02:00