You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Deployment hardening section (LOW-4) — recommended edge/WAF rules for /api/ep/ep/anonymous (per-IP rate limit, short-cache anonymous responses). No code change.
epClientSecret audit (INFO-1) — grep usage; if unused in the package, delete the field from the public config interface. If reserved for future use, document the contract (server-only, never in providerProps()) with an inline comment.
Acceptance criteria
README has a "Security model" section enumerating the post-fixes guarantees
README has a "Deployment hardening" section with recommended edge/WAF rules
epClientSecret is either removed or comment-documented as server-only
CHANGELOG entry summarizes the breaking changes (tokenSurface default, allowedOrigins requirement) so consumers upgrading aren't surprised
Parent PRD
#279
What to build
Closing slice for PRD #279. Three small jobs bundled because none of them merit a standalone issue:
Security model README section — describe the package's security guarantees after Security: verify EP account token in /ep/account/login (#279 HIGH-1) #280–Security: apply Origin-allowlist gate to cart routes (#279 MEDIUM-2) #287 land: HttpOnly JWE session, server-side cart routes, opt-in browser token surface, Origin-allowlist gates on proxy + cart, host allowlist on bundle config, account-login token verification.
Deployment hardening section (LOW-4) — recommended edge/WAF rules for
/api/ep/ep/anonymous(per-IP rate limit, short-cache anonymous responses). No code change.epClientSecretaudit (INFO-1) — grep usage; if unused in the package, delete the field from the public config interface. If reserved for future use, document the contract (server-only, never inproviderProps()) with an inline comment.Acceptance criteria
epClientSecretis either removed or comment-documented as server-onlytokenSurfacedefault,allowedOriginsrequirement) so consumers upgrading aren't surprisedBlocked by
User stories addressed