diff --git a/image-recipe/configs/nginx-archipelago.conf b/image-recipe/configs/nginx-archipelago.conf index d5f98113..944e161f 100644 --- a/image-recipe/configs/nginx-archipelago.conf +++ b/image-recipe/configs/nginx-archipelago.conf @@ -70,6 +70,9 @@ server { # AIUI web search proxy — SearXNG on port 8888 location /aiui/api/web-search { + if ($cookie_session = "") { + return 401 '{"error":"Unauthorized"}'; + } proxy_pass http://127.0.0.1:8888/search; proxy_http_version 1.1; proxy_set_header Host $host; @@ -176,6 +179,13 @@ server { proxy_read_timeout 300s; proxy_send_timeout 300s; } + # Block path traversal attempts before they reach FileBrowser + location ~* /app/filebrowser/api/resources/.*/\.\. { + return 403; + } + location ~* /app/filebrowser/api/raw/.*/\.\. { + return 403; + } location /app/filebrowser/ { client_max_body_size 10G; proxy_pass http://127.0.0.1:8083/; diff --git a/loop/plan.md b/loop/plan.md index 67163f46..20d577c6 100644 --- a/loop/plan.md +++ b/loop/plan.md @@ -398,7 +398,7 @@ - [x] **FINAL-01** — Run final UX audit on every page. Complete UX review of all 20+ pages/views. Fix any remaining inconsistencies. Ensure loading states, error states, and empty states are all polished. **Acceptance**: UX audit passes with no critical issues. -- [ ] **FINAL-02** — Run final security audit. Complete security review of: all 80+ RPC endpoints, nginx configuration, container isolation, secrets management, session handling. Fix any findings. **Acceptance**: Zero critical/high findings. +- [x] **FINAL-02** — Run final security audit. Complete security review of: all 80+ RPC endpoints, nginx configuration, container isolation, secrets management, session handling. Fix any findings. **Acceptance**: Zero critical/high findings. - [ ] **FINAL-03** — Run final sweep. Execute `/sweep`. All metrics must be at zero violations or documented exceptions. **Acceptance**: Sweep report clean.