commit ad22fb

Page Index

2026-03-17 07:03:24 Claude (MCP): [api] Edit: To-Do

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9

`To-Do.md` ..
@@ 107,7 107,7 @@

	### OWASP high-priority items
	From [[Security/OWASP_2025_Audit]]:
-	- Bcrypt linear scan DoS: `scan_by_token()` iterates all wiki rows with `bcrypt.checkpw()` per MCP request. O(N) bcrypt operations. Needs index or prefix-based lookup.
+	- ~~Bcrypt linear scan DoS~~ ✅ MERGED (2026-03-17): Replaced bcrypt with SHA-256 for API token hashing. `get_by_token()` does O(1) indexed lookup. Ansible migration invalidates legacy bcrypt hashes.
	- Security response headers: Add `X-Content-Type-Options`, `X-Frame-Options`, `Strict-Transport-Security` in Caddy.
	- Security logging: No audit trail for auth events, ACL changes, wiki deletions.