From 32cfb8483155978426abe796b845d91c696ac357 Mon Sep 17 00:00:00 2001 From: clawbot Date: Tue, 10 Mar 2026 18:04:47 -0700 Subject: [PATCH] remove HTTP hardening checklist from NEW_REPO_CHECKLIST.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit New repos aren't HTTP services at creation time — these items only make sense in EXISTING_REPO_CHECKLIST.md (for 1.0 prep) and in the policy itself (REPO_POLICIES.md). --- prompts/NEW_REPO_CHECKLIST.md | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/prompts/NEW_REPO_CHECKLIST.md b/prompts/NEW_REPO_CHECKLIST.md index a06153a..62334e8 100644 --- a/prompts/NEW_REPO_CHECKLIST.md +++ b/prompts/NEW_REPO_CHECKLIST.md @@ -1,6 +1,6 @@ --- title: New Repo Checklist -last_modified: 2026-03-10 +last_modified: 2026-02-22 --- Use this checklist when creating a new repository from scratch. Follow the steps @@ -84,22 +84,7 @@ Template files can be fetched from: - [ ] No unnecessary files in repo root - [ ] All dates written as YYYY-MM-DD -# 5. HTTP Service Hardening (if the repo is an HTTP/web service targeting 1.0) - -- [ ] Security headers middleware configured (HSTS, CSP, X-Frame-Options, - X-Content-Type-Options, Referrer-Policy, Permissions-Policy) -- [ ] Request body size limits enforced on all endpoints -- [ ] HTTP server read/write/idle timeouts configured (slowloris defense) -- [ ] Per-handler execution time limits in place -- [ ] Rate limiting on password-based authentication endpoints -- [ ] CSRF tokens on all state-mutating HTML forms -- [ ] Password hashing uses bcrypt, scrypt, or argon2 -- [ ] Session cookies set with HttpOnly, Secure, and SameSite attributes -- [ ] True client IP detection configured with trusted proxy allowlist -- [ ] CORS restricted to explicit origin allowlist for authenticated endpoints -- [ ] Error responses never leak stack traces, SQL queries, or internal paths - -# 6. Merge and Set Up +# 5. Merge and Set Up - [ ] Commit, merge to `main` - [ ] `make hooks` to install pre-commit hook