Home A - Z
Page Index

An Otter Wiki

Commit 93c7f9

2026-03-17 22:04:12 Claude (MCP): [mcp] Mark rate limiting as deployed
To-Do.md ..
@@ 111,10 111,10 @@
### Backup verification
No tested restore path exists. Minimal local test: pull a backup, run integrity checks on each DB, verify schema matches.
- ### Rate limiting + ~~security headers~~
- ~~No security response headers.~~ ✅ DEPLOYED (2026-03-17) — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy applied globally to all `*.robot.wtf` traffic via Caddy `(security_headers)` snippet. See [[Plans/Rate_Limiting_And_Security_Headers]].
+ ### ~~Rate limiting + security headers~~ ✅ DEPLOYED (2026-03-17)
+ **Security headers:** HSTS (1 month), CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy applied globally via Caddy snippet.
- **Rate limiting** still needed. No rate limiting on any endpoint. Plan at [[Plans/Rate_Limiting_And_Security_Headers]] Phase 2.
+ **Rate limiting:** Flask-Limiter on auth (1/min login/signup, 2/min consent POST) and API (1/min create, 2/min delete) Flask routes. `limits` library in WSGI middleware: 5/min wiki writes, 5/min API writes, 15/min API reads. ProxyFix at outermost WSGI layer. Retry-After on all 429s. fail2ban on proxy-1 as backstop. Per-worker in-memory storage (~4x effective limits). See [[Plans/Rate_Limiting_And_Security_Headers]].
### OWASP remaining items
From [[Security/OWASP_2025_Audit]]:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9