security: fix all HIGH priority items from TODO.SECURITY.md

Items resolved: - #3 (HIGH): Move file uploads outside webroot to STORAGE_ROOT (/var/www/posterg/storage). Uploads were previously stored in public/admin/actions/data/ which is web-accessible. - #4 (HIGH): Align file paths and add media.php controller. DB paths are now storage-relative (theses/YEAR/ID/file, covers/file). New public/media.php serves files with path-traversal jail, MIME allow-list, and proper caching headers. memoire.php and search.php updated to use /media.php?path=. Also fixed: cover images were never recorded in thesis_files (broken INSERT). - #5 (HIGH): RateLimit::getClientIdentifier() now uses REMOTE_ADDR only. HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP are attacker-controlled headers that allowed unlimited rate-limit bypass by rotating spoofed IPs. - #6 (HIGH): Port public/admin/.htaccess security rules to nginx/posterg.conf. Apache .htaccess directives are silently ignored by nginx; none were active. CSP added to /admin/ location block, .log file denial added globally, autoindex off made explicit. Documented in nginx/HTACCESS_TO_NGINX.md. Supporting changes: - config/bootstrap.php: add STORAGE_ROOT constant - nginx/SECURITY_HEADERS.md: updated to reflect admin CSP and pending public CSP - docs/TODO.SECURITY.md: items #3-6 moved to resolved; priority order updated
2026-05-06 19:19:19 +02:00 · 2026-02-08 14:01:33 +01:00
parent f5d3281c43
commit a2b1ff5f41
10 changed files with 203 additions and 50 deletions
--- a/nginx/SECURITY_HEADERS.md
+++ b/nginx/SECURITY_HEADERS.md
@@ -1,6 +1,6 @@
 # Security Headers — nginx/posterg.conf

-## Headers in use
+## Headers in use (main server block — all pages)

 | Header | Value | Purpose |
 |--------|-------|---------|
@@ -9,6 +9,17 @@
 | `Referrer-Policy` | `strict-origin-when-cross-origin` | Limit referrer leakage |
 | `Permissions-Policy` | `geolocation=(), microphone=(), camera=()` | Disable unused browser APIs |

+## Headers in use (`/admin/` location block)
+
+| Header | Value | Purpose |
+|--------|-------|---------|
+| `Content-Security-Policy` | `default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';` | Restrict resource origins; block embedding |
+| `X-Robots-Tag` | `noindex, nofollow` | Prevent search-engine indexing of admin |
+
+These were previously declared in `public/admin/.htaccess` as Apache
+`mod_headers` directives, which nginx silently ignores. They are now
+enforced directly; see `HTACCESS_TO_NGINX.md` for the full migration log.
+
 ## Intentionally omitted headers

 ### `X-XSS-Protection`
@@ -21,10 +32,11 @@ This header was **removed** (was `"1; mode=block"`).
 to expose response bodies that would otherwise be blocked. Sending it provides
 no protection and may introduce risk.

-**Correct mitigation:** a proper `Content-Security-Policy` header (todo item #11).
+**Correct mitigation:** a proper `Content-Security-Policy` header (now done for
+`/admin/`; public-page CSP is todo item #11).

 ## Pending headers

-| Header | Status |
-|--------|--------|
-| `Content-Security-Policy` | ⏳ todo item #11 |
+| Header | Scope | Status |
+|--------|-------|--------|
+| `Content-Security-Policy` | Public pages (non-admin) | ⏳ todo item #11 |