25 lines
1.2 KiB
Markdown
25 lines
1.2 KiB
Markdown
## 1. LDAP Endpoint Hardening
|
|
|
|
- [x] 1.1 Add strict `LDAP_API_URL` validation (`https` + allowlisted hosts) in auth service initialization.
|
|
- [x] 1.2 Add tests for valid/invalid LDAP URL configurations and ensure unsafe URLs are rejected without outbound auth call.
|
|
|
|
## 2. Bounded Process Cache
|
|
|
|
- [x] 2.1 Extend `ProcessLevelCache` with configurable `max_size` and LRU eviction behavior.
|
|
- [x] 2.2 Wire bounded cache configuration for WIP/Resource process-level caches and add regression tests.
|
|
|
|
## 3. Circuit Breaker Lock Contention Reduction
|
|
|
|
- [x] 3.1 Refactor circuit breaker transition logging to execute outside lock-protected section.
|
|
- [x] 3.2 Add tests verifying transition logs are emitted while state mutation remains correct.
|
|
|
|
## 4. HTTP Security Headers and Input Boundary Validation
|
|
|
|
- [x] 4.1 Add global `after_request` security headers (CSP, frame, content-type, referrer, HSTS in production).
|
|
- [x] 4.2 Tighten pagination boundary handling (`page`/`page_size`) for WIP detail endpoint and add tests.
|
|
|
|
## 5. Validation and Documentation
|
|
|
|
- [x] 5.1 Run targeted backend/frontend tests plus benchmark smoke to confirm no behavior regression.
|
|
- [x] 5.2 Update `README.md` and `README.mdj` with round-2 security/stability hardening notes.
|