Security hardening: CSP, OIDC validation, API key hashing, audit logging

Add Content-Security-Policy header to all responses, tuned for iframe-based
dashboard architecture. Validate OIDC ID tokens (signature, nonce, issuer,
audience, expiry) using coreos/go-oidc. Replace plaintext API key storage
with bcrypt hashing. Add structured audit logging (source=audit) for all
security-relevant events across 5 files (21 audit points).

Also:
- Raise test coverage threshold to 85% (Go + frontend)
- Add coverage enforcement to pre-push hook for frontend
- Add vitest coverage thresholds (statements/lines 85%, branches 70%, functions 80%)
- Update Codecov targets from 70%/auto to 85%/85%
- Add OWASP ASVS Level 2 badge to README and wiki
- Add security wiki page documenting all ASVS controls
- Update wiki docs for api_key_hash (replaces plaintext api_key)

Author: mescon

.githooks/pre-push

@@ -17,9 +17,8 @@ BOLD='\033[1m'
 NC='\033[0m'
 
 # Coverage thresholds (percentage)
-GO_COVERAGE_THRESHOLD=80
-# Frontend lib/ coverage is what matters (components are 0% — that's normal for Svelte)
-# We only enforce Go coverage since SonarCloud gates on that
+GO_COVERAGE_THRESHOLD=85
+FE_COVERAGE_THRESHOLD=85
 
 REPO_ROOT="$(git rev-parse --show-toplevel)"
 
@@ -63,12 +62,31 @@ else
 fi
 rm -f "$GO_COVER_FILE"
 
-# ─── Frontend tests ────────────────────────────────────────────────
-info "Running frontend tests..."
+# ─── Frontend tests with coverage ─────────────────────────────────
+info "Running frontend tests with coverage..."
 
-if (cd "$REPO_ROOT/web" && npm run test 2>&1 | tail -20); then
+FE_OUTPUT=$(cd "$REPO_ROOT/web" && npx vitest run --coverage 2>&1)
+FE_EXIT=$?
+
+if [ $FE_EXIT -eq 0 ]; then
     pass "Frontend tests passed"
+
+    # Parse overall statement coverage from the "All files" line
+    FE_COVERAGE=$(echo "$FE_OUTPUT" | grep "All files" | awk -F'|' '{gsub(/ /,"",$2); print $2}')
+
+    if [ -n "$FE_COVERAGE" ]; then
+        FE_COV_INT=$(echo "$FE_COVERAGE" | cut -d. -f1)
+        if [ "$FE_COV_INT" -ge "$FE_COVERAGE_THRESHOLD" ]; then
+            pass "Frontend coverage: ${FE_COVERAGE}% (threshold: ${FE_COVERAGE_THRESHOLD}%)"
+        else
+            fail "Frontend coverage: ${FE_COVERAGE}% — below ${FE_COVERAGE_THRESHOLD}% threshold"
+            errors=$((errors + 1))
+        fi
+    else
+        warn "Could not parse frontend coverage"
+    fi
 else
+    echo "$FE_OUTPUT" | tail -20
     fail "Frontend tests failed"
     errors=$((errors + 1))
 fi

CONTRIBUTING.md

@@ -71,16 +71,33 @@ go build -tags embed_web -o muximux ./cmd/muximux
 
 ## Testing
 
+### Coverage Target
+
+Both backend (Go) and frontend (Svelte/TypeScript) maintain **85% statement/line coverage**. This is enforced by:
+
+- **Pre-push hook** -- blocks pushes below threshold
+- **Codecov** -- gates PRs at 85% on new code
+- **Vitest** -- fails `npm run test:coverage` if coverage drops below threshold
+
+Tests themselves are excluded from coverage metrics.
+
 ### Backend
 
 ```bash
 go test -race ./...
+
+# With coverage report
+go test -race -coverprofile=coverage.txt ./internal/...
+go tool cover -func=coverage.txt | tail -1
 ```
 
 ### Frontend
 
 ```bash
 cd web && npm run test
+
+# With coverage report
+cd web && npx vitest run --coverage
 ```
 
 ### Full pre-push check (mirrors CI)

README.md

@@ -15,6 +15,7 @@ One binary. One port. One YAML config file.
 [![Maintainability](https://sonarcloud.io/api/project_badges/measure?project=mescon_Muximux&metric=sqale_rating)](https://sonarcloud.io/summary/overall?id=mescon_Muximux)
 [![Security](https://sonarcloud.io/api/project_badges/measure?project=mescon_Muximux&metric=security_rating)](https://sonarcloud.io/summary/overall?id=mescon_Muximux)
 [![Codecov](https://codecov.io/gh/mescon/Muximux/branch/main/graph/badge.svg)](https://codecov.io/gh/mescon/Muximux)
+[![OWASP ASVS](https://img.shields.io/badge/OWASP_ASVS-Level_2-005571?logo=owasp)](docs/wiki/security.md)
 [![Docker](https://img.shields.io/badge/ghcr.io-mescon%2Fmuximux-blue?logo=docker)](https://ghcr.io/mescon/muximux)
 [![Release](https://img.shields.io/github/v/release/mescon/Muximux)](https://github.com/mescon/Muximux/releases/latest)
 ![License](https://img.shields.io/badge/License-GPL%20v2-blue)
@@ -149,6 +150,7 @@ Full documentation is available in the **[Wiki](docs/wiki/README.md)**:
 - [Configuration Reference](docs/wiki/configuration.md) - All config.yaml options
 - [Apps](docs/wiki/apps.md) - Adding and configuring applications
 - [Built-in Reverse Proxy](docs/wiki/reverse-proxy.md) - How the proxy works and when to use it
+- [Security](docs/wiki/security.md) - Security measures and OWASP ASVS compliance
 - [Authentication](docs/wiki/authentication.md) - Auth methods and setup
 - [TLS & HTTPS](docs/wiki/tls-and-gateway.md) - Certificates and gateway mode
 - [Deployment Guide](docs/wiki/deployment.md) - Production deployment examples

cmd/muximux/main.go

@@ -75,12 +75,6 @@ func main() {
 		log.Fatalf("Failed to load configuration: %v", err)
 	}
 
-	if cfg.Migrate() {
-		if err := cfg.Save(*configPath); err != nil {
-			log.Printf("Warning: failed to save migrated config: %v", err)
-		}
-	}
-
 	logFile := filepath.Join(*dataDir, "muximux.log")
 	if err := logging.Init(logging.Config{
 		Level:   logging.Level(cfg.Server.LogLevel),
@@ -93,6 +87,11 @@ func main() {
 
 	applyOverrides(cfg, *listenAddr, *basePath)
 
+	// Warn if OIDC client_secret is stored as plaintext in config
+	if cfg.Auth.OIDC.Enabled && cfg.Auth.OIDC.ClientSecret != "" && !config.IsBracedEnvRef(cfg.Auth.OIDC.ClientSecret) {
+		logging.Warn("OIDC client_secret is stored in plaintext config — consider using ${ENV_VAR} syntax", "source", "config")
+	}
+
 	// Create and start server
 	srv, err := server.New(cfg, *configPath, *dataDir, version, commit, buildDate)
 	if err != nil {

codecov.yml

@@ -2,10 +2,10 @@ coverage:
   status:
     project:
       default:
-        target: auto
+        target: 85%
     patch:
       default:
-        target: 70%
+        target: 85%
 
 flags:
   backend:

docs/wiki/README.md

@@ -1,5 +1,10 @@
 # Muximux Wiki
 
+[![OWASP ASVS](https://img.shields.io/badge/OWASP_ASVS-Level_2-005571?logo=owasp)](security.md)
+[![Security](https://sonarcloud.io/api/project_badges/measure?project=mescon_Muximux&metric=security_rating)](https://sonarcloud.io/summary/overall?id=mescon_Muximux)
+[![Codecov](https://codecov.io/gh/mescon/Muximux/branch/main/graph/badge.svg)](https://codecov.io/gh/mescon/Muximux)
+[![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=mescon_Muximux&metric=alert_status)](https://sonarcloud.io/summary/overall?id=mescon_Muximux)
+
 Muximux is a modern, self-hosted web application portal for your homelab. It runs as a single binary, serves on a single port, and stores all configuration in one YAML file. Add your self-hosted applications, organize them into groups, and access them from a unified dashboard with health monitoring, keyboard shortcuts, and a built-in reverse proxy.
 
 ![Muximux dashboard](https://raw.githubusercontent.com/mescon/Muximux/main/docs/screenshots/09-dashboard-dark.png)
@@ -21,6 +26,7 @@ Muximux is designed to fit your setup, from a simple dashboard to a full reverse
 - [Configuration Reference](configuration.md) -- Full config.yaml format and all available options
 - [Apps](apps.md) -- Adding, configuring, and managing applications
 - [Built-in Reverse Proxy](reverse-proxy.md) -- Proxying app traffic through Muximux
+- [Security Overview](security.md) -- Security measures, OWASP ASVS compliance, and hardening details
 - [Authentication](authentication.md) -- Built-in auth, forward auth, and OIDC
 - [TLS & HTTPS](tls-and-gateway.md) -- Automatic certificates, custom certificates, and gateway mode
 - [Gateway Examples](gateway-examples.md) -- Recipes for proxying common homelab services

docs/wiki/_Sidebar.md

@@ -18,6 +18,7 @@
 - [Icons](icons)
 
 **Security**
+- [Security Overview](security)
 - [Authentication](authentication)
 - [TLS & HTTPS](tls-and-gateway)
 - [Gateway Examples](gateway-examples)

docs/wiki/api.md

@@ -77,7 +77,7 @@ GET /api/apps
 X-Api-Key: your-api-key-here
 ```
 
-The API key is configured in `auth.api_key` in your config file.
+The API key is configured as a bcrypt hash in `auth.api_key_hash` in your config file. See [Authentication > API Key Authentication](authentication.md#api-key-authentication) for setup instructions.
 
 ### User Management
 

docs/wiki/authentication.md

@@ -35,7 +35,7 @@ auth:
   method: builtin
   session_max_age: 24h        # How long sessions last (default: 24h)
   secure_cookies: true         # Set true if serving over HTTPS
-  api_key: "your-secret-key"   # Optional: for API access without login
+  api_key_hash: "$2a$10$..."    # Optional: bcrypt hash of API key (see below)
   users:
     - username: admin
       password_hash: "$2a$10$..."  # bcrypt hash
@@ -225,13 +225,44 @@ client_secret: ${OIDC_CLIENT_SECRET}
 
 ## API Key Authentication
 
-When `api_key` is set in the auth config, you can authenticate API requests using the `X-Api-Key` header instead of a session cookie. This is useful for integrations, scripts, and automated tools.
+When `api_key_hash` is set in the auth config, you can authenticate API requests using the `X-Api-Key` header instead of a session cookie. This is useful for integrations, scripts, and automated tools.
 
 ```bash
 curl -H "X-Api-Key: your-secret-key" https://muximux.example.com/api/apps
 ```
 
-The API key is checked using constant-time comparison to prevent timing attacks.
+### How It Works
+
+The API key is stored as a **bcrypt hash** in `config.yaml` -- not as plaintext. When a request arrives with `X-Api-Key`, Muximux verifies it against the stored hash using `bcrypt.CompareHashAndPassword`. This means:
+
+- The original API key cannot be recovered from the config file
+- If `config.yaml` is compromised, the attacker cannot extract the key
+- Verification is constant-time, preventing timing attacks
+
+### Generating an API Key Hash
+
+Use the same tools as for password hashes:
+
+```bash
+# Using the hashpw utility
+./hashpw 'my-api-key'
+
+# Using htpasswd
+htpasswd -nbBC 10 "" 'my-api-key' | cut -d: -f2
+
+# Using Python
+python3 -c "import bcrypt; print(bcrypt.hashpw(b'my-api-key', bcrypt.gensalt()).decode())"
+```
+
+Then add the hash to your config:
+
+```yaml
+auth:
+  method: builtin
+  api_key_hash: "$2a$10$..."
+```
+
+You can also set the API key through the **Settings > Security** panel in the Muximux UI. The UI hashes the key automatically before storing it.
 
 ---
 

docs/wiki/configuration.md

@@ -40,7 +40,7 @@ auth:
 
   session_max_age: 24h         # Session duration (default: 24h)
   secure_cookies: false        # Require HTTPS for session cookies
-  api_key: ""                  # Optional API key for X-Api-Key auth
+  api_key_hash: ""             # Optional bcrypt hash of API key for X-Api-Key auth
 
   # Builtin auth users
   users:
@@ -180,7 +180,7 @@ Use `${VARIABLE_NAME}` in any string value to reference environment variables. T
 auth:
   oidc:
     client_secret: ${OIDC_CLIENT_SECRET}
-  api_key: ${MUXIMUX_API_KEY}
+  api_key_hash: ${MUXIMUX_API_KEY_HASH}
 
 apps:
   - name: Plex
@@ -225,7 +225,7 @@ Everything else -- navigation, themes, apps, groups, icons, keybindings, health
 
 You can export your configuration as a downloadable YAML file and import it on another instance:
 
-- **Export** strips sensitive data (password hashes, OIDC secrets, API keys) before download.
+- **Export** strips sensitive data (password hashes, OIDC secrets, API key hashes) before download.
 - **Import** parses the uploaded YAML, validates it, and shows a preview so you can review before applying.
 
 This is available in the Settings panel under the General tab, or via the API (see [API Reference](api.md)).