Security Improvements: CSP Nonces & Configurable Validation

🔒 Security Improvements

This release addresses security feedback from issue #1 with comprehensive improvements:

✨ New Features

• Configurable Password Validation: RADIUS_CHAR_PATTERN now configurable in config.py
• Enhanced Character Support: Default pattern includes \! # $ % & ' ( ) * + , - . / : ; = ? @ _ { } for Cisco compatibility

🛡️ Security Enhancements

• CSP Nonces: Replaced unsafe-inline with proper nonce-based Content Security Policy
• Flask-Talisman Integration: All security headers now managed by Flask-Talisman
• Removed Deprecated Headers: X-XSS-Protection header removed (CSP provides better protection)

🧪 Testing

• Added 3 comprehensive security tests
• All 8 tests passing
• CSP nonce functionality verification
• Configurable validation pattern testing

📚 Documentation

• Corrected Gunicorn X-Forwarded-For security documentation
• Updated security headers documentation
• Added configuration examples for new features

🔗 Links

• Fixes: #1
• Pull Request: #3

Full Changelog: 2025.07...2025.07.1

Release 2025.07: Security Hardening and Flask-Session Migration

Security Enhancements

Input Validation and CSRF Protection

• Input Validation: Added comprehensive validation for RADIUS standards (63 char username, 128 char password limits)
• Character Validation: Username restricted to alphanumeric, @, ., _, - characters only
• CSRF Protection: All forms now protected with Flask-WTF CSRF tokens
• Security Headers: Added CSP, X-Frame-Options, HSTS, X-XSS-Protection, and more

X-Forwarded-For Security

• IP Spoofing Prevention: Configurable FORWARDED_ALLOW_IPS to restrict trusted proxy sources
• Production Security: Enhanced documentation for proper reverse proxy configuration
• Container Support: Kubernetes/Docker deployment examples with proper IP restrictions

Technical Improvements

Flask-Session Migration

• Deprecated Backend Fix: Migrated from deprecated filesystem backend to CacheLib
• Modern Session Storage: Using FileSystemCache with 500 item threshold
• Performance: Improved session handling and storage management

Enhanced Logging and Error Handling

• Circuit Breaker Logging: Detailed RADIUS server failure tracking with server identification
• Security Event Logging: Authentication failures, validation errors, and CSRF violations
• Missing Attribute Handling: Graceful UUID fallback for missing RADIUS Class attributes
• Troubleshooting: Enhanced error messages with context for easier debugging

Form and Template Improvements

• WTForms Integration: Complete refactor to use WTForms for validation and rendering
• Separate Forms: Distinct forms for login, logout, and session extension with proper CSRF protection
• User Experience: Better error messages and validation feedback

Documentation Updates

Security Configuration Guide

• X-Forwarded-For Configuration: Comprehensive examples for different deployment scenarios
• Input Validation: Detailed explanation of RADIUS standards compliance
• Troubleshooting: New section covering security errors and common issues

Dependencies and Configuration

• Updated Requirements: New security packages (Flask-WTF, WTForms, cachelib)
• Configuration Examples: Updated config templates with modern session backend
• Environment Variables: Enhanced documentation for production deployment

Testing and Quality Assurance

• Test Suite Updates: Fixed tests to work with CSRF protection and new validation
• Configuration Isolation: Proper test environment with disabled CSRF for testing
• Validation Testing: Comprehensive test coverage for input validation scenarios

Addresses GitHub issue #1