765 B
765 B
Fat Kiss Security Checklist
Production
- HTTPS enforced (Let's Encrypt via certbot)
- Cloudflare proxy (orange cloud)
- Apache security headers
- /admin/ noindex
- No secrets in frontend code
- .env files gitignored
Contact Form
- Turnstile client + server verification
- Rate limiting
- Honeypot field
- Input sanitization
- Category allowlist
- CORS locked
Admin
- Gitea OAuth
- MFA required
- No server control exposed
- Media path restricted
To Do
- Configure Gitea webhook for auto-deploy
- Set up Turnstile site key in contact form
- Configure SMTP for contact handler
- Enable MFA on Amber's Gitea account
- Add CSP header
- Regular dependency updates