mirror of
https://github.com/complexcaresolutions/cms.c2sgmbh.git
synced 2026-03-17 17:24:12 +00:00
Martin Porwoll
fc94531931
Security Features: - Central rate-limiter service with Redis support and memory fallback - Predefined limiters: publicApi, auth, email, search, form, strict - Automatic cleanup of stale entries - IP allowlist/blocklist for sensitive endpoints - CIDR and wildcard support - Configurable via SEND_EMAIL_ALLOWED_IPS, BLOCKED_IPS env vars - CSRF protection with Double Submit Cookie pattern - Token endpoint: GET /api/csrf-token - Origin header validation - Data masking service for sensitive data - Automatic redaction of passwords, tokens, API keys - Safe logger factory for consistent logging - Recursive object masking for audit logs Secret Scanning: - Pre-commit hook for local secret detection - GitHub Actions workflow with Gitleaks and CodeQL - Gitleaks configuration file - Dependency vulnerability scanning Updated: - /api/send-email now uses central rate-limiter and IP allowlist - Redis lib exports getRedisClient and isRedisAvailable 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
60 lines
1.4 KiB
TOML
60 lines
1.4 KiB
TOML
# Gitleaks Configuration
|
|
# https://github.com/gitleaks/gitleaks
|
|
|
|
title = "Payload CMS Gitleaks Config"
|
|
|
|
[extend]
|
|
# Extend the default gitleaks config
|
|
useDefault = true
|
|
|
|
# Pfade die ignoriert werden sollen
|
|
[allowlist]
|
|
paths = [
|
|
'''node_modules/''',
|
|
'''\.next/''',
|
|
'''dist/''',
|
|
'''coverage/''',
|
|
'''\.pnpm/''',
|
|
'''pnpm-lock\.yaml''',
|
|
'''package-lock\.json''',
|
|
'''\.env\.example''',
|
|
'''\.env\.sample''',
|
|
'''docs/.*\.md''',
|
|
]
|
|
|
|
# Regexes die ignoriert werden sollen (für Test-Daten etc.)
|
|
regexes = [
|
|
'''example\.com''',
|
|
'''test@test\.com''',
|
|
'''dummy''',
|
|
'''placeholder''',
|
|
]
|
|
|
|
# Commits die ignoriert werden sollen
|
|
commits = []
|
|
|
|
# Zusätzliche Regeln
|
|
[[rules]]
|
|
id = "payload-secret"
|
|
description = "Payload Secret"
|
|
regex = '''PAYLOAD_SECRET\s*=\s*['\"]?[a-zA-Z0-9_-]{20,}['\"]?'''
|
|
tags = ["secret", "payload"]
|
|
|
|
[[rules]]
|
|
id = "smtp-password"
|
|
description = "SMTP Password in config"
|
|
regex = '''smtp[_-]?pass(?:word)?\s*[:=]\s*['\"][^'\"]+['\"]'''
|
|
tags = ["secret", "smtp"]
|
|
|
|
[[rules]]
|
|
id = "database-url"
|
|
description = "Database URL with credentials"
|
|
regex = '''(?i)(postgres|mysql|mongodb|redis)://[^:]+:[^@]+@'''
|
|
tags = ["secret", "database"]
|
|
|
|
# Stopwords die einen Match verhindern
|
|
[[rules]]
|
|
id = "false-positive-example"
|
|
description = "Example values that are not secrets"
|
|
regex = '''(example|sample|dummy|placeholder|YOUR_[A-Z_]+_HERE)'''
|
|
allowlist = { regexes = ['''.*'''] }
|