Skip to content

fix: security hardening — TLS production guard, PII log removal, URL sanitization#215

Merged
LarytheLord merged 1 commit intomainfrom
fix/security-hardening
May 5, 2026
Merged

fix: security hardening — TLS production guard, PII log removal, URL sanitization#215
LarytheLord merged 1 commit intomainfrom
fix/security-hardening

Conversation

@LarytheLord
Copy link
Copy Markdown
Owner

@LarytheLord LarytheLord commented May 2, 2026

Summary

Three targeted security fixes from desloppify scan (HIGH + MEDIUM findings):

  • TLS override production-blocked: SMTP_TLS_INSECURE=true now only activates outside production — prevents misconfiguration from disabling TLS verification in live environments
  • PII log removed: Email address was being logged in forgot-password route even with dev guard — removed entirely
  • URL sanitization in middleware: Dev log was printing full request.url (could expose tokens in query params) — now logs only pathname

What was suppressed as false positive

  • chart.tsx dangerouslySetInnerHTML — shadcn internal CSS var injection, not user input
  • seed.ts hardcoded password — dev-only, never reaches production
  • razorpay/webhook error log — logs key name absence, not the key value
  • reset-password error log — generic Error object, no PII on error path
  • lib/auth.ts email log — dev-only guard, acceptable for local debugging

Test plan

  • npm run lint — 0 errors
  • npm run type-check — 0 errors
  • npm run build — clean
  • Verify SMTP still connects in dev with SMTP_TLS_INSECURE=true
  • Verify SMTP ignores SMTP_TLS_INSECURE=true when NODE_ENV=production

🤖 Generated with Claude Code

@LarytheLord @claude
fix: harden security — production TLS guard, PII log removal, URL san…
2c6f42f 
…itization

- send-email: TLS insecure override now blocked in production (SMTP_TLS_INSECURE
  can only activate in non-production environments)
- forgot-password: remove email address from dev-mode console.log (PII leak)
- middleware: log only pathname, not full URL (query params can contain tokens)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@LarytheLord LarytheLord requested a review from Adil2009700 as a code owner May 2, 2026 17:26
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 2, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
adventurers-guild Ready Ready Preview, Comment May 2, 2026 5:27pm

@LarytheLord LarytheLord merged commit 2eeddf8 into main May 5, 2026
4 checks passed
@LarytheLord LarytheLord deleted the fix/security-hardening branch May 5, 2026 02:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Adil2009700 Adil2009700 Awaiting requested review from Adil2009700 Adil2009700 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LarytheLord