Some beta-checklist updates

dkam · dkam · commit fed7c3cedb13 · 2026-01-02T11:53:41.000+11:00
diff --git a/README.md b/README.md
@@ -336,9 +336,6 @@ Use SQLite's `VACUUM INTO` command for safe, atomic backups of a running databas
 ```bash
 # Local development
 sqlite3 storage/production.sqlite3 "VACUUM INTO 'backup.sqlite3';"
-
-# Docker
-docker exec clinch sqlite3 /rails/storage/production.sqlite3 "VACUUM INTO '/rails/storage/backup.sqlite3';"
 ```
 
 This creates an optimized copy of the database that's safe to make even while Clinch is running.
diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb
@@ -4,5 +4,5 @@
 # Use this to limit dissemination of sensitive information.
 # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
 Rails.application.config.filter_parameters += [
-  :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc
+  :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc, :backup
 ]
diff --git a/docs/beta-checklist.md b/docs/beta-checklist.md
@@ -155,16 +155,14 @@ This checklist ensures Clinch meets security, quality, and documentation standar
 - [x] Docker Compose example
 - [ ] Production deployment guide
 - [x] Backup and restore documentation
-- [ ] Migration strategy documentation
 
 ## Security Hardening
 
 ### Headers & CSP
-- [ ] Review Content Security Policy
-- [ ] HSTS configuration
-- [ ] X-Frame-Options
-- [ ] X-Content-Type-Options
-- [ ] Referrer-Policy
+- [x] Content Security Policy (comprehensive policy in config/initializers/content_security_policy.rb)
+- [x] X-Frame-Options (DENY in production config)
+- [x] X-Content-Type-Options (nosniff - Rails default)
+- [x] Referrer-Policy (strict-origin-when-cross-origin in production config)
 
 ### Rate Limiting
 - [ ] Login attempt rate limiting
@@ -180,8 +178,7 @@ This checklist ensures Clinch meets security, quality, and documentation standar
 
 ### Logging & Monitoring
 - [x] Sentry integration (optional)
-- [ ] Document what should be logged
-- [ ] Document what should NOT be logged (tokens, passwords)
+- [x] Parameter filtering configured (passwords, tokens, secrets, backup codes, emails filtered from logs)
 - [ ] Audit log for admin actions
 
 ## Known Limitations & Risks

Original file line number	Diff line number	Diff line change
`@@ -4,5 +4,5 @@`
`4`	`4`	`# Use this to limit dissemination of sensitive information.`
`5`	`5`	`# See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.`
`6`	`6`	`Rails.application.config.filter_parameters += [`
`7`		`- :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc`
	`7`	`+ :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc, :backup`
`8`	`8`	`]`