List view
**Goal:** All identified security vulnerabilities from the C-DAC penetration test report are remediated, verified, and documented before the application goes to production. → "The application passes a re-test against all 8 reported findings with zero Medium or higher severity vulnerabilities outstanding, and all Low severity findings either resolved or formally accepted with documented risk." **Type:** Security **Milestone:** SH-1 — Security Hardening **Features in this milestone:** - [ ] #SH-01 — Unrestricted File Upload — server-side validation enforcement - [ ] #SH-02 — Insecure OAuth Redirect URI — enforce HTTPS on all redirect URIs - [ ] #SH-03 — Multiple Active Refresh Tokens — token rotation and invalidation - [ ] #SH-04 — Stored XSS via Username Field — server-side input validation - [ ] #SH-05 — Verbose API Response — response filtering and data minimisation - [ ] #SH-06 — Session Cookie Missing Secure Attribute — cookie security flags - [ ] #SH-07 — Session Cookie Missing SameSite Attribute — CSRF protection - [ ] #SH-08 — Refresh Token SameSite=None — review and harden cross-site cookie policy **Definition of Done:** - [ ] All Medium and High severity findings resolved and verified - [ ] All Low severity findings resolved or formally risk-accepted with written justification - [ ] Re-test performed by the original pen-test team or equivalent — zero Medium/High findings - [ ] All fixes merged to main behind a dedicated security branch - [ ] No regressions in existing auth, upload, or profile update flows - [ ] Backend sign-off from tech lead - [ ] Security findings documented in `docs/security/pentest-remediation-2026.md` **Target Date:** YYYY-MM-DD **Owner:** @username
No due date•8/8 issues closedOur aim is to create a stable backend version for the first release of our application.
No due date•20/20 issues closed