fix: security hardening — remove dead routes, add JWT audience validation
- Remove broken observe/dashboard Traefik routes (server accessed via /server only) - Remove unused acme volume - Add JWT audience claim validation (https://api.cameleer.local) in SecurityConfig - Secure bootstrap output file with chmod 600 - Add dev-only comments on TLS_SKIP_VERIFY and credential logging Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
@@ -541,9 +541,11 @@ cat > "$BOOTSTRAP_FILE" <<EOF
|
||||
"oidcAudience": "$API_RESOURCE_INDICATOR"
|
||||
}
|
||||
EOF
|
||||
chmod 600 "$BOOTSTRAP_FILE"
|
||||
|
||||
log ""
|
||||
log "=== Bootstrap complete! ==="
|
||||
# dev only — remove credential logging in production
|
||||
log " SaaS Owner: $SAAS_ADMIN_USER / $SAAS_ADMIN_PASS"
|
||||
log " Tenant Admin: $TENANT_ADMIN_USER / $TENANT_ADMIN_PASS"
|
||||
log " Tenant: $TENANT_NAME (slug: $TENANT_SLUG)"
|
||||
|
||||
Reference in New Issue
Block a user