auth:
  - authentication required for non-public endpoints
  - authorization rules documented and tested
data:
  - secrets stored outside source control
  - encryption in transit enabled

#!/usr/bin/env bash
set -euo pipefail

cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/example/codesnips:${GITHUB_SHA}
cosign verify --key env://COSIGN_PUBLIC_KEY ghcr.io/example/codesnips:${GITHUB_SHA}

example.com.          IN TXT  "v=spf1 include:_spf.google.com -all"
default._domainkey    IN TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
_dmarc.example.com.   IN TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; adkim=s; aspf=s"

severities:
  sev1: customer-impacting active compromise or confirmed data exposure
  sev2: high risk suspicious activity with potential customer impact
  sev3: contained issue with low current impact

first_hour:

class CspReportsController < ActionController::API
  def create
    Rails.logger.warn({
      event: 'csp_report',
      report: params.to_unsafe_h,
      ip: request.remote_ip,

user = User.find_by(email: params[:email].to_s.downcase.strip)

if user
  raw_token = SecureRandom.urlsafe_base64(32)
  user.password_resets.create!(token_digest: Digest::SHA256.hexdigest(raw_token), expires_at: 30.minutes.from_now)
  PasswordResetMailer.with(user: user, token: raw_token).deliver_later

final class PinnedSessionDelegate: NSObject, URLSessionDelegate {
    func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
        guard let serverTrust = challenge.protectionSpace.serverTrust else {
            completionHandler(.cancelAuthenticationChallenge, nil)
            return
        }

cookies.encrypted[:trusted_device] = {
  value: { user_id: current_user.id, fingerprint: device_fingerprint }.to_json,
  expires: 30.days.from_now,
  httponly: true,
  secure: Rails.env.production?,
  same_site: :strict,

local   all             postgres                                peer
hostssl app_production  app_user        10.0.0.0/16             scram-sha-256
hostssl app_production  reporting_user  10.0.1.0/24             scram-sha-256
host    all             all             0.0.0.0/0               reject

bind 127.0.0.1 10.0.0.15
protected-mode yes
port 6379
rename-command FLUSHALL ""
rename-command CONFIG ""
aclfile /etc/redis/users.acl

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'https://app.example.com', 'https://admin.example.com'
    resource '/api/*',
      headers: %w[Authorization Content-Type],
      methods: %i[get post patch delete options],

event_id = request.headers.fetch('X-Event-Id')
timestamp = request.headers.fetch('X-Signature-Timestamp').to_i

raise ActionController::BadRequest, 'stale request' if Time.now.to_i - timestamp > 300
raise ActionController::BadRequest, 'replay detected' if WebhookEvent.exists?(external_id: event_id)