shahondin1624/Mitgliederverwaltung
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 16 Wiki Activity

feat: add security hardening with rate limiting and pentest prep (Closes #64) #108

Merged
shahondin1624 merged 1 commits from feature/issue-64-security-hardening-pentest-prep into main 2026-04-07 15:54:14 +02:00
Conversation 0 Commits 1 Files Changed 4
+377
shahondin1624 commented 2026-04-07 15:54:09 +02:00
Owner
Copy Link
Copy Source

Summary

  • RateLimitMiddleware: Per-endpoint rate limits using NC distributed cache (search 60/min, export/report 10/min, import 5/min). HTTP 429 on exceeded.
  • InputSanitizer: Static utility for HTML stripping, date/email/int validation, typed array sanitization as defense-in-depth layer.
  • Middleware registration: Registered in Application.php for all controller actions.
  • Security checklist: Comprehensive documentation covering input validation audit of all 12 controllers, SQL injection prevention verification, XSS/CSRF analysis, permission matrix, encrypted data inventory, dependency audit commands, manual pentest checklist, and deployment hardening guide.

Closes #64

Test plan

  • Rate limiter returns 429 after exceeding limit on search endpoint
  • Rate limiter uses NC distributed cache (Redis/APCu)
  • InputSanitizer strips HTML tags
  • InputSanitizer validates date format (YYYY-MM-DD)
  • Security checklist document is complete and actionable
## Summary - **RateLimitMiddleware**: Per-endpoint rate limits using NC distributed cache (search 60/min, export/report 10/min, import 5/min). HTTP 429 on exceeded. - **InputSanitizer**: Static utility for HTML stripping, date/email/int validation, typed array sanitization as defense-in-depth layer. - **Middleware registration**: Registered in Application.php for all controller actions. - **Security checklist**: Comprehensive documentation covering input validation audit of all 12 controllers, SQL injection prevention verification, XSS/CSRF analysis, permission matrix, encrypted data inventory, dependency audit commands, manual pentest checklist, and deployment hardening guide. Closes #64 ## Test plan - [ ] Rate limiter returns 429 after exceeding limit on search endpoint - [ ] Rate limiter uses NC distributed cache (Redis/APCu) - [ ] InputSanitizer strips HTML tags - [ ] InputSanitizer validates date format (YYYY-MM-DD) - [ ] Security checklist document is complete and actionable
shahondin1624 added 1 commit 2026-04-07 15:54:09 +02:00
feat: add security hardening with rate limiting and pentest prep (Closes #64) 280dbc845e 
- RateLimitMiddleware: endpoint-specific rate limits (search 60/min,
  export/report 10/min, import 5/min, default 120/min) using NC
  distributed cache. Returns HTTP 429 with German error message.
- InputSanitizer: static utility for HTML stripping, date format
  validation, email validation, integer sanitization, typed array
  sanitization for defense-in-depth.
- Registered middleware in Application.php boot sequence.
- Security checklist documentation covering: input validation audit
  (all 12 controllers reviewed), SQL injection prevention, XSS/CSRF,
  permission matrix, encrypted data inventory, dependency audit
  commands, manual pentest checklist, deployment hardening guide.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
shahondin1624 merged commit 524c8690ca into main 2026-04-07 15:54:14 +02:00
shahondin1624 deleted branch feature/issue-64-security-hardening-pentest-prep 2026-04-07 15:54:14 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
backend
Backend / PHP work
 bug
Bug report
 database
Database migrations and schema
 documentation
Documentation
 enhancement
Enhancement or improvement
 epic
Epic / feature-group issues
 frontend
Frontend / Vue.js work
 integration
Nextcloud integrations (Calendar, Contacts, Files)
 priority:high
High priority
 priority:low
Low priority
 priority:medium
Medium priority
 security
Security-related work
 testing
Tests and test infrastructure
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
shahondin1624
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: shahondin1624/Mitgliederverwaltung#108
Delete Branch "feature/issue-64-security-hardening-pentest-prep"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?