Sienna Meridian Satterwhite
50a4abf94f
Kratos: xchacha20-poly1305 cipher for at-rest encryption, 12-char min password with HaveIBeenPwned + similarity check, recovery/verification switched to code (not link), anti-enumeration on unknown recipients, 15m privileged session, 24h session extend throttle, JSON structured logging, WebAuthn passwordless enabled, additionalProperties: false on all identity schemas, memory limits bumped to 256Mi. Hydra: expose_internal_errors disabled, PKCE enforced for public clients, janitor CronJob every 6h, cookie domain set explicitly, SSRF prevention via disallow_private_ip_ranges, JSON structured logging, Maester enabledNamespaces includes monitoring. Also: fixed selfservice URL patch divergence (settings path, missing allowed_return_urls), removed invalid responseTypes on Hive client.
27 lines
1.0 KiB
YAML
27 lines
1.0 KiB
YAML
# Kratos selfservice UI URLs — patch over the Helm-rendered kratos-config ConfigMap.
|
|
# DOMAIN_SUFFIX is substituted by sunbeam apply.
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: kratos-config
|
|
namespace: ory
|
|
data:
|
|
selfservice.default_browser_return_url: "https://auth.DOMAIN_SUFFIX/"
|
|
selfservice.flows.login.ui_url: "https://auth.DOMAIN_SUFFIX/login"
|
|
selfservice.flows.registration.ui_url: "https://auth.DOMAIN_SUFFIX/registration"
|
|
selfservice.flows.recovery.ui_url: "https://auth.DOMAIN_SUFFIX/recovery"
|
|
selfservice.flows.settings.ui_url: "https://auth.DOMAIN_SUFFIX/security"
|
|
selfservice.allowed_return_urls: |
|
|
- https://auth.DOMAIN_SUFFIX/
|
|
- https://docs.DOMAIN_SUFFIX/
|
|
- https://meet.DOMAIN_SUFFIX/
|
|
- https://drive.DOMAIN_SUFFIX/
|
|
- https://mail.DOMAIN_SUFFIX/
|
|
- https://messages.DOMAIN_SUFFIX/
|
|
- https://people.DOMAIN_SUFFIX/
|
|
- https://src.DOMAIN_SUFFIX/
|
|
- https://find.DOMAIN_SUFFIX/
|
|
- https://cal.DOMAIN_SUFFIX/
|
|
- https://projects.DOMAIN_SUFFIX/
|
|
- https://admin.DOMAIN_SUFFIX/
|