remove HTTP hardening checklist from NEW_REPO_CHECKLIST.md
All checks were successful
check / check (push) Successful in 5s
All checks were successful
check / check (push) Successful in 5s
New repos aren't HTTP services at creation time — these items only make sense in EXISTING_REPO_CHECKLIST.md (for 1.0 prep) and in the policy itself (REPO_POLICIES.md).
This commit is contained in:
clawbot
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: New Repo Checklist
|
||||
last_modified: 2026-03-10
|
||||
last_modified: 2026-02-22
|
||||
---
|
||||
|
||||
Use this checklist when creating a new repository from scratch. Follow the steps
|
||||
@@ -84,22 +84,7 @@ Template files can be fetched from:
|
||||
- [ ] No unnecessary files in repo root
|
||||
- [ ] All dates written as YYYY-MM-DD
|
||||
|
||||
# 5. HTTP Service Hardening (if the repo is an HTTP/web service targeting 1.0)
|
||||
|
||||
- [ ] Security headers middleware configured (HSTS, CSP, X-Frame-Options,
|
||||
X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
|
||||
- [ ] Request body size limits enforced on all endpoints
|
||||
- [ ] HTTP server read/write/idle timeouts configured (slowloris defense)
|
||||
- [ ] Per-handler execution time limits in place
|
||||
- [ ] Rate limiting on password-based authentication endpoints
|
||||
- [ ] CSRF tokens on all state-mutating HTML forms
|
||||
- [ ] Password hashing uses bcrypt, scrypt, or argon2
|
||||
- [ ] Session cookies set with HttpOnly, Secure, and SameSite attributes
|
||||
- [ ] True client IP detection configured with trusted proxy allowlist
|
||||
- [ ] CORS restricted to explicit origin allowlist for authenticated endpoints
|
||||
- [ ] Error responses never leak stack traces, SQL queries, or internal paths
|
||||
|
||||
# 6. Merge and Set Up
|
||||
# 5. Merge and Set Up
|
||||
|
||||
- [ ] Commit, merge to `main`
|
||||
- [ ] `make hooks` to install pre-commit hook
|
||||
|
||||
Reference in New Issue
Block a user