Harden deployment and fix PEN-01
- Fix Bearer token extraction to validate prefix (PEN-01) - Add TestExtractBearerFromRequest covering PEN-01 edge cases - Fix flaky TestRenewToken timing (2s → 4s lifetime) - Move default config/install paths to /srv/mcias - Add RUNBOOK.md for operational procedures - Update AUDIT.md with penetration test round 4 Security: extractBearerFromRequest now uses case-insensitive prefix validation instead of fixed-offset slicing, rejecting non-Bearer Authorization schemes that were previously accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
6
dist/mcias.env.example
vendored
6
dist/mcias.env.example
vendored
@@ -1,10 +1,10 @@
|
||||
# /etc/mcias/env — Environment file for mciassrv (systemd EnvironmentFile).
|
||||
# /srv/mcias/env — Environment file for mciassrv (systemd EnvironmentFile).
|
||||
#
|
||||
# This file is loaded by the mcias.service unit before the server starts.
|
||||
# It must be readable only by root and the mcias service account:
|
||||
#
|
||||
# chmod 0640 /etc/mcias/env
|
||||
# chown root:mcias /etc/mcias/env
|
||||
# chmod 0640 /srv/mcias/env
|
||||
# chown root:mcias /srv/mcias/env
|
||||
#
|
||||
# SECURITY: This file contains the master key passphrase. Treat it with
|
||||
# the same care as a private key. Do not commit it to version control.
|
||||
|
||||
Reference in New Issue
Block a user