The Audit
Sanctum Tasks — the task management system that ships with a PHP API, admin UI, Python SDK, and SMCP plugin — went through a serious security review in February. A comprehensive findings report was generated, issues were filed, and fixes were shipped methodically: high severity first, then medium, then low.
High Severity (H-01 through H-08)
- H-01: Session login CSRF. Login now requires a JSON body with origin checking.
- H-02: IP trust. Forwarded IP headers are only trusted behind a configured proxy.
- H-03: Lockout scoping. Rate limiting is now per (username, IP) pair, clearing only the user's own bucket.
- H-04: SDK packaging.
setuptools.packages.find()explicitly specified to avoid shipping unintended files. - H-05: User-state helpers. Return failure (not exception) when a user isn't found.
- H-06: Default status. Tasks created without a status get one set in a database transaction.
- H-07: Admin timezone. Due dates submitted as UTC ISO strings to avoid timezone drift.
- H-08: API key validation order. Key is validated before rate limit check — don't waste cycles limiting invalid keys.
Medium and Low
- M-01 through M-04: Schema DDL idempotence, bootstrap migrations wrapped in transactions, admin task mutation error surfacing, and
apiSuccess()payload override prevention. - M-10 through M-14: Privilege changes propagate to session, temp password exposure stopped, SDK catches
ValueErroron bad JSON. - L-01 through L-04: Secure session cookies by default, API key list is preview-only, revoke checks affected rows, comment timestamps from DB.
Test and CI
The audit was backed by a comprehensive unit and integration test suite, expanded to 100% coverage for both the Python SDK and SMCP plugin. CI was updated for Python and PHP linting. The whole effort shipped across two dozen commits in a single day.
This is the process we want to follow for every Sanctum application: build it, ship it, then audit it systematically before calling it production-ready. Sanctum Tasks is the template.