fix(security): phase 1 critical fixes for public release
- Redact PostgreSQL DSN password from stdout/logs - Harden .dockerignore to exclude .ssh/, .claude/, *.db, *.local files - SSRF protection: block private/loopback/link-local IPs by default (UPTOP_ALLOW_PRIVATE_TARGETS=true to override for homelab use) - Fix email header injection via CRLF in monitor names - AES-256-GCM encryption for alert credentials at rest (UPTOP_ENCRYPTION_KEY env var, migrate-secrets subcommand) - TLS support for HTTP server (UPTOP_TLS_CERT/UPTOP_TLS_KEY) with HSTS header when TLS enabled
This commit is contained in:
+13
-1
@@ -1,3 +1,15 @@
|
||||
.git
|
||||
tmp/
|
||||
vendor/
|
||||
vendor/
|
||||
|
||||
# Security: keep sensitive/local files out of Docker build context
|
||||
.ssh/
|
||||
.claude/
|
||||
.github/
|
||||
.gitea/
|
||||
CLAUDE.md
|
||||
*.local.json
|
||||
*.local.md
|
||||
*.local
|
||||
*.db
|
||||
*.db-journal
|
||||
|
||||
Reference in New Issue
Block a user