security: fix all HIGH priority items from TODO.SECURITY.md

Items resolved:
- #3 (HIGH): Move file uploads outside webroot to STORAGE_ROOT (/var/www/posterg/storage).
  Uploads were previously stored in public/admin/actions/data/ which is web-accessible.
- #4 (HIGH): Align file paths and add media.php controller.
  DB paths are now storage-relative (theses/YEAR/ID/file, covers/file).
  New public/media.php serves files with path-traversal jail, MIME allow-list,
  and proper caching headers. memoire.php and search.php updated to use /media.php?path=.
  Also fixed: cover images were never recorded in thesis_files (broken INSERT).
- #5 (HIGH): RateLimit::getClientIdentifier() now uses REMOTE_ADDR only.
  HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP are attacker-controlled headers that
  allowed unlimited rate-limit bypass by rotating spoofed IPs.
- #6 (HIGH): Port public/admin/.htaccess security rules to nginx/posterg.conf.
  Apache .htaccess directives are silently ignored by nginx; none were active.
  CSP added to /admin/ location block, .log file denial added globally,
  autoindex off made explicit. Documented in nginx/HTACCESS_TO_NGINX.md.

Supporting changes:
- config/bootstrap.php: add STORAGE_ROOT constant
- nginx/SECURITY_HEADERS.md: updated to reflect admin CSP and pending public CSP
- docs/TODO.SECURITY.md: items #3-6 moved to resolved; priority order updated

nginx/HTACCESS_TO_NGINX.md

@@ -0,0 +1,36 @@
+# `.htaccess` → nginx migration (item #6)
+
+> **Problem:** `public/admin/.htaccess` contained Apache-specific security
+> directives that nginx **silently ignores**. None of the rules were active
+> in production.
+
+---
+
+## Rules migrated into `nginx/posterg.conf`
+
+| Apache `.htaccess` rule | nginx equivalent | Location |
+|---|---|---|
+| `Header always set X-Frame-Options "SAMEORIGIN"` | `add_header X-Frame-Options "SAMEORIGIN" always;` | main `server` block (already present) |
+| `Header always set X-Content-Type-Options "nosniff"` | `add_header X-Content-Type-Options "nosniff" always;` | main `server` block (already present) |
+| `Header always set X-XSS-Protection "1; mode=block"` | **Intentionally omitted** — deprecated & counterproductive; see `SECURITY_HEADERS.md` | — |
+| `Header always set Referrer-Policy "strict-origin-when-cross-origin"` | `add_header Referrer-Policy "strict-origin-when-cross-origin" always;` | main `server` block (already present) |
+| `Header always set Content-Security-Policy "..."` | `add_header Content-Security-Policy "..." always;` | `/admin/` location block (**added**) |
+| `Options -Indexes` | `autoindex off;` | `/admin/` location block (**added**; nginx default is off, explicit for clarity) |
+| `<FilesMatch "^\."> Require all denied` | `location ~ /\.(?!well-known).*` deny | main `server` block (already present) |
+| `<FilesMatch "(composer\.(json\|lock)\|error\.log)$"> Require all denied` | `location ~* \.(md\|txt\|sql\|sh\|json\|gitignore)$` deny + `location ~* \.log$` deny | main `server` block (`log` rule **added**) |
+| `php_flag display_errors Off` | Handled by `config/bootstrap.php` (`ini_set('display_errors', '0')`) | PHP |
+| `php_flag log_errors On` | Handled by `config/bootstrap.php` (`ini_set('log_errors', '1')`) | PHP |
+| `php_value error_log error.log` | Handled by `config/bootstrap.php`; should use absolute path (item #9) | PHP |
+
+---
+
+## Status of `public/admin/.htaccess`
+
+The file is now **dead code** on this nginx server. It has been left in place
+(harmless) so it would still work if the project were ever tested behind Apache
+(e.g., `php -S` built-in server doesn't read it either). All security rules it
+previously attempted to set are now enforced by nginx directly.
+
+---
+
+*Added: 2026-02-08 — security item #6*

nginx/SECURITY_HEADERS.md

@@ -1,6 +1,6 @@
 # Security Headers — nginx/posterg.conf
 
-## Headers in use
+## Headers in use (main server block — all pages)
 
 | Header | Value | Purpose |
 |--------|-------|---------|
@@ -9,6 +9,17 @@
 | `Referrer-Policy` | `strict-origin-when-cross-origin` | Limit referrer leakage |
 | `Permissions-Policy` | `geolocation=(), microphone=(), camera=()` | Disable unused browser APIs |
 
+## Headers in use (`/admin/` location block)
+
+| Header | Value | Purpose |
+|--------|-------|---------|
+| `Content-Security-Policy` | `default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';` | Restrict resource origins; block embedding |
+| `X-Robots-Tag` | `noindex, nofollow` | Prevent search-engine indexing of admin |
+
+These were previously declared in `public/admin/.htaccess` as Apache
+`mod_headers` directives, which nginx silently ignores. They are now
+enforced directly; see `HTACCESS_TO_NGINX.md` for the full migration log.
+
 ## Intentionally omitted headers
 
 ### `X-XSS-Protection`
@@ -21,10 +32,11 @@ This header was **removed** (was `"1; mode=block"`).
 to expose response bodies that would otherwise be blocked. Sending it provides
 no protection and may introduce risk.
 
-**Correct mitigation:** a proper `Content-Security-Policy` header (todo item #11).
+**Correct mitigation:** a proper `Content-Security-Policy` header (now done for
+`/admin/`; public-page CSP is todo item #11).
 
 ## Pending headers
 
-| Header | Status |
-|--------|--------|
-| `Content-Security-Policy` | ⏳ todo item #11 |
+| Header | Scope | Status |
+|--------|-------|--------|
+| `Content-Security-Policy` | Public pages (non-admin) | ⏳ todo item #11 |

nginx/posterg.conf

@@ -74,6 +74,13 @@ server {
         # Rate limiting for admin
         limit_req zone=admin burst=5 nodelay;
 
+        # Content-Security-Policy — ported from public/admin/.htaccess which nginx ignores (item #6).
+        # Tighter policy for admin: no external sources, no object embedding.
+        add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
+
+        # Disable directory listing (nginx default is off; explicit for defence-in-depth, item #6)
+        autoindex off;
+
         # Allow access to public assets without authentication
         location ~ ^/admin/(css|js|images)/ {
             auth_basic off;
@@ -134,6 +141,14 @@ server {
         try_files $uri $uri/ =404;
     }
 
+    # Deny access to log files — public/admin/.htaccess had this rule but Apache
+    # .htaccess directives are silently ignored by nginx (item #6).
+    location ~* \.log$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
     # Deny access to .htaccess files (if Apache's document root concurs with nginx's)
     location ~ /\.ht {
         deny all;