From 762cf91f86cd8a2316a021c74db45b9f34316692 Mon Sep 17 00:00:00 2001 From: lila Date: Fri, 24 Apr 2026 09:30:20 +0200 Subject: [PATCH] updating tasks --- documentation/backlog.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/documentation/backlog.md b/documentation/backlog.md index 7656309..127ee05 100644 --- a/documentation/backlog.md +++ b/documentation/backlog.md @@ -26,9 +26,6 @@ Things that are actively in progress or should be picked up immediately. Mostly - **Hetzner domain migration check** `[infra]` Verify whether the lilastudy.com domain needs to be migrated following a Hetzner DNS change. Check Hetzner dashboard for any pending migration notice. -- **Security headers with helmet** `[security]` - Add helmet middleware to set secure HTTP response headers. One-liner: app.use(helmet()). Covers headers like X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy. - - **Conditionally register OAuth providers** `[debt]` Better Auth logs warnings when social providers are registered without credentials (`Social provider google is missing clientId or clientSecret`). Instead of registering all providers unconditionally, only add a provider to the config when its credentials are present in the environment. Keeps local dev clean for contributors who don't have OAuth apps set up. @@ -120,6 +117,7 @@ Directionally right, timing is unclear. Revisit when the next/now work is done. Shipped milestones, newest first. +- **04 - 2026 - Security headers with helmet** - Add helmet middleware to set secure HTTP response headers. - **04 - 2026 - Rate limiting on API endpoints** - At minimum: auth endpoints (brute force prevention) and game endpoints (spam prevention) - **04 - 2026 — Migrations in deploy pipeline** — Drizzle migrate runs as a CI/CD step before the API container restarts - **04 - 2026 — Phase 6: Production deployment** — Hetzner VPS, Caddy HTTPS, Forgejo CI/CD, daily DB backups, cross-subdomain auth