OmniDock GitHub

$ man omnidock/security

OmniDock Security Model

Review OmniDock security expectations for Worker secrets, admin password hashing, D1 sessions, Cloudflare API tokens, external email credentials, HTML email sanitization, and public repo hygiene.

Credential storage

  • API tokens and external provider credentials belong in Worker secrets.
  • Admin passwords should never be stored in plaintext. Store a salted PBKDF2 hash in D1.
  • External account credential values should not be collected by the UI or written to D1.
  • Logs must be useful for debugging without printing secret values.

Session model

Production auth should use D1-backed HttpOnly SameSite session cookies. Session tokens should be hashed before D1 storage. Failed auth attempts should be rate limited. Password reset tokens should be hashed, expire, and send only from a verified sender.

Public repo checklist

  • Do not commit .dev.vars.
  • Do not commit D1 IDs, bucket names, account IDs, API tokens, admin passwords, Gmail app passwords, or private domains.
  • Use generic examples for personal email addresses and domains.
  • Enable GitHub Secret Scanning and CodeQL for the fork.