No tested restore path exists. Minimal local test: pull a backup, run integrity checks on each DB, verify schema matches.
-
### Rate limiting
-
No rate limiting on any endpoint. Caddy can add this. Not critical for soft launch, needed before wider announcement.
+
### Rate limiting + security headers
+
No rate limiting on any endpoint; no security response headers. Both handled in Caddy. **Plan at [[Plans/Rate_Limiting_And_Security_Headers]].** Phase 1 (headers only) can deploy immediately. Phase 2 (rate limiting) requires xcaddy rebuild with rate_limit module.
-
### OWASP high-priority items
+
### OWASP remaining items
From [[Security/OWASP_2025_Audit]]:
-
- ~~**Bcrypt linear scan DoS**~~ ✅ MERGED (2026-03-17): Replaced bcrypt with SHA-256 for API token hashing. `get_by_token()` does O(1) indexed lookup. Ansible migration invalidates legacy bcrypt hashes.
-
- **Security response headers:** Add `X-Content-Type-Options`, `X-Frame-Options`, `Strict-Transport-Security` in Caddy.
+
- ~~**Bcrypt linear scan DoS**~~ ✅ MERGED (2026-03-17)
+
- ~~**Security response headers**~~ Plan ready (see above)
- **Security logging:** No audit trail for auth events, ACL changes, wiki deletions.
