From fed7c3cedb13b227cfe981dad89aed00fd36c984 Mon Sep 17 00:00:00 2001 From: Dan Milne Date: Fri, 2 Jan 2026 11:53:41 +1100 Subject: [PATCH] Some beta-checklist updates --- README.md | 3 --- config/initializers/filter_parameter_logging.rb | 2 +- docs/beta-checklist.md | 13 +++++-------- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index fc5f1d7..3634a86 100644 --- a/README.md +++ b/README.md @@ -336,9 +336,6 @@ Use SQLite's `VACUUM INTO` command for safe, atomic backups of a running databas ```bash # Local development sqlite3 storage/production.sqlite3 "VACUUM INTO 'backup.sqlite3';" - -# Docker -docker exec clinch sqlite3 /rails/storage/production.sqlite3 "VACUUM INTO '/rails/storage/backup.sqlite3';" ``` This creates an optimized copy of the database that's safe to make even while Clinch is running. diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb index c0b717f..b6451be 100644 --- a/config/initializers/filter_parameter_logging.rb +++ b/config/initializers/filter_parameter_logging.rb @@ -4,5 +4,5 @@ # Use this to limit dissemination of sensitive information. # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors. Rails.application.config.filter_parameters += [ - :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc + :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc, :backup ] diff --git a/docs/beta-checklist.md b/docs/beta-checklist.md index 30dd82e..3f946a2 100644 --- a/docs/beta-checklist.md +++ b/docs/beta-checklist.md @@ -155,16 +155,14 @@ This checklist ensures Clinch meets security, quality, and documentation standar - [x] Docker Compose example - [ ] Production deployment guide - [x] Backup and restore documentation -- [ ] Migration strategy documentation ## Security Hardening ### Headers & CSP -- [ ] Review Content Security Policy -- [ ] HSTS configuration -- [ ] X-Frame-Options -- [ ] X-Content-Type-Options -- [ ] Referrer-Policy +- [x] Content Security Policy (comprehensive policy in config/initializers/content_security_policy.rb) +- [x] X-Frame-Options (DENY in production config) +- [x] X-Content-Type-Options (nosniff - Rails default) +- [x] Referrer-Policy (strict-origin-when-cross-origin in production config) ### Rate Limiting - [ ] Login attempt rate limiting @@ -180,8 +178,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar ### Logging & Monitoring - [x] Sentry integration (optional) -- [ ] Document what should be logged -- [ ] Document what should NOT be logged (tokens, passwords) +- [x] Parameter filtering configured (passwords, tokens, secrets, backup codes, emails filtered from logs) - [ ] Audit log for admin actions ## Known Limitations & Risks