Worth to say, that this is an ongoing development, this is not even version 1, v 0.3.1
Comment on I built a self-hosted period tracker because I couldn't find one worth using
Pieisawesome@lemmy.dbzer0.com 2 days agoYour releasing a health data app without doing security hardening?
So much for you saying you take security seriously
terraincognita@lemmy.world 2 days ago
napkin2020@sh.itjust.works 1 day ago
What a douchebag
terraincognita@lemmy.world 2 days ago
No, we didn’t ship it without security hardening.
We already hardened the main sensitive parts:
sealed auth/recovery/reset/flash cookies no auth or recovery secrets in URLs or JSON POST + CSRF logout basic browser security headers CodeQL, gosec, Trivy, and SBOM in CI What’s still missing is a strict CSP. That’s not a one-line switch here because the current frontend still needs some refactoring first.
terraincognita@lemmy.world 1 day ago
CSP is released.