security: pentest fixes — webhook sig, CORS, soul-health gate, asset headers #69

Merged

will.anderson merged 2 commits from fix/checkout-auth-reveal into dev

2026-05-11 04:57:05 +00:00

Author	SHA1	Message	Date
will.anderson	43e1245306	seo: full audit fixes — meta, og, schema, canonical, sitemap, headings, alts Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m57s Details - Per-page title/description/canonical/OG tags: about, checkout (per-plan), terms, enterprise-terms, success all get unique SEO blocks - Homepage title updated to em-dash form; meta description adds CTA - og:site_name added to all pages - noindex/nofollow on checkout, success, account pages - Sitemap (/sitemap.xml) with all public pages; robots.txt updated with Sitemap directive and Disallow for private paths - Schema: WebSite type added, Organization gains logo ImageObject, SoftwareApplication gains url field, billingIncrement corrected to billingPeriod (ISO 8601 P1M), sameAs gains x.com/neurontechai alongside GitHub - marked.min.js given defer attribute (was render-blocking) - page_head refactored into page_head_base + page_seo_block + page_open_seo for clean inner-page overrides without duplicating the CSS/script block	2026-05-10 23:56:40 -05:00
will.anderson	3f3c5cf149	security: penetration test fixes — headers, cors, path traversal, info leakage - Switch to http_serve_v2/http_set_handler_v2 so request headers are available to El handler code (prerequisite for all header-based security checks) - Stripe webhook (CVE-class): add HMAC-SHA256 signature verification against Stripe-Signature header using STRIPE_WEBHOOK_SECRET env var. Previously any unauthenticated POST could forge a payment_intent.succeeded event and increment the founding counter or trigger Supabase account provisioning for arbitrary emails. - CORS on /api/supabase-config: restrict to neurontechnologies.ai and localhost origins only. Cross-origin requests now get 403. - /api/soul-health: require X-Internal: true header; otherwise return 404. Endpoint was publicly accessible and leaked internal soul service URL, network topology, and raw probe responses. - Static asset / JS headers: add X-Frame-Options, Referrer-Policy, Permissions-Policy, and Content-Security-Policy to static_asset_headers_json and js_headers_json. These were only present on HTML/API responses before. - Fix state key bug: share_card_page read state_get("__neuron_origin__") but the key registered at startup is "__origin__", causing empty base URLs in share card og: meta tags.	2026-05-10 23:56:31 -05:00

Author

SHA1

Message

Date

will.anderson

43e1245306

seo: full audit fixes — meta, og, schema, canonical, sitemap, headings, alts

Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m57s

Details

- Per-page title/description/canonical/OG tags: about, checkout (per-plan),
  terms, enterprise-terms, success all get unique SEO blocks
- Homepage title updated to em-dash form; meta description adds CTA
- og:site_name added to all pages
- noindex/nofollow on checkout, success, account pages
- Sitemap (/sitemap.xml) with all public pages; robots.txt updated with
  Sitemap directive and Disallow for private paths
- Schema: WebSite type added, Organization gains logo ImageObject, SoftwareApplication
  gains url field, billingIncrement corrected to billingPeriod (ISO 8601 P1M),
  sameAs gains x.com/neurontechai alongside GitHub
- marked.min.js given defer attribute (was render-blocking)
- page_head refactored into page_head_base + page_seo_block + page_open_seo
  for clean inner-page overrides without duplicating the CSS/script block

2026-05-10 23:56:40 -05:00

will.anderson

3f3c5cf149

security: penetration test fixes — headers, cors, path traversal, info leakage

- Switch to http_serve_v2/http_set_handler_v2 so request headers are available
  to El handler code (prerequisite for all header-based security checks)

- Stripe webhook (CVE-class): add HMAC-SHA256 signature verification against
  Stripe-Signature header using STRIPE_WEBHOOK_SECRET env var. Previously any
  unauthenticated POST could forge a payment_intent.succeeded event and
  increment the founding counter or trigger Supabase account provisioning for
  arbitrary emails.

- CORS on /api/supabase-config: restrict to neurontechnologies.ai and localhost
  origins only. Cross-origin requests now get 403.

- /api/soul-health: require X-Internal: true header; otherwise return 404.
  Endpoint was publicly accessible and leaked internal soul service URL,
  network topology, and raw probe responses.

- Static asset / JS headers: add X-Frame-Options, Referrer-Policy,
  Permissions-Policy, and Content-Security-Policy to static_asset_headers_json
  and js_headers_json. These were only present on HTML/API responses before.

- Fix state key bug: share_card_page read state_get("__neuron_origin__") but
  the key registered at startup is "__origin__", causing empty base URLs in
  share card og: meta tags.

2026-05-10 23:56:31 -05:00

security: pentest fixes — webhook sig, CORS, soul-health gate, asset headers #69

2 Commits