Lukas bc4ba703f0 Fix #34: Replace setup redirect allowlist prefix matching with explicit allowlist ...

- Replace fragile startswith() matching with explicit path matching
- Split allowlist into _EXACT_ALLOWED (exact paths) and _PREFIX_ALLOWED (prefixes)
- Prefix paths MUST end with '/' to prevent matching unintended paths like /api/setup-debug
- Paths correctly matched: /api/setup, /api/health, /api/docs, /api/redoc, /api/openapi.json, /api/setup/timezone
- Paths correctly blocked: /api/setup-debug, /api/setup123, /api/jails
- Add comprehensive Setup Guard Route Policy documentation to Backend-Development.md
- Update line numbers in documentation to reflect current implementation

This prevents future route additions from accidentally bypassing the setup guard.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

2026-04-29 19:45:42 +02:00

..

Architekture.md

Fix non-atomic setup persistence across DB contexts (Issue #30)

2026-04-29 19:19:53 +02:00

Backend-Development.md

Fix #34: Replace setup redirect allowlist prefix matching with explicit allowlist

2026-04-29 19:45:42 +02:00

Features.md

Fix issue #31: Make schedule reschedule deterministic and observable

2026-04-29 19:24:55 +02:00

Instructions.md

fix(security): Remove insecure session secret fallback in compose.debug.yml

2026-04-26 15:12:10 +02:00

Refactoring.md

Refactor: Split blocklist import flow into focused components

2026-04-27 18:34:11 +02:00

runner.csx

Refactor services and update documentation

2026-04-26 20:27:04 +02:00

Tasks.md

Fix #34: Replace setup redirect allowlist prefix matching with explicit allowlist

2026-04-29 19:45:42 +02:00

test.md

chore: add Docker config files and fix fail2ban bind mount path

2026-03-03 20:38:32 +01:00

Web-Design.md

Add skeleton loading components for progressive UX

2026-04-28 09:40:10 +02:00

Web-Development.md

Pagination contract is not standardized across endpoints

2026-04-28 21:40:22 +02:00