# Fat Kiss Security Checklist

## Production
- [x] HTTPS enforced (Let's Encrypt via certbot)
- [x] Cloudflare proxy (orange cloud)
- [x] Apache security headers
- [x] /admin/ noindex
- [x] No secrets in frontend code
- [x] .env files gitignored

## Contact Form
- [x] Turnstile client + server verification
- [x] Rate limiting
- [x] Honeypot field
- [x] Input sanitization
- [x] Category allowlist
- [x] CORS locked

## Admin
- [x] Gitea OAuth
- [x] MFA required
- [x] No server control exposed
- [x] Media path restricted

## To Do
- [ ] Configure Gitea webhook for auto-deploy
- [ ] Set up Turnstile site key in contact form
- [ ] Configure SMTP for contact handler
- [ ] Enable MFA on Amber's Gitea account
- [ ] Add CSP header
- [ ] Regular dependency updates