Harden web app security

- Random secret key (env var or generated per-process, not hardcoded)
- CSRF token on all POST forms with constant-time comparison
- Security headers: CSP, X-Frame-Options DENY, X-Content-Type-Options,
  Referrer-Policy, Permissions-Policy
- All form inputs validated against whitelists, no raw user strings
  reach enum lookups or int() calls
- Text inputs truncated to 500 chars
- Numeric inputs bounded (days 3-6, minutes 30-120, sets 0-50)
- Per-session program storage replaces shared global mutable state
- In-memory rate limiter (20 req/min per IP)
- Debug mode off by default (env var opt-in)
- Secure session cookies (HttpOnly, SameSite=Lax, optional Secure)
- Error templates for 400/403/429/500

https://claude.ai/code/session_01Lo7Z7GoRzG6hZkKwrxnXVk

Author: claude

ironforge/templates/error.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Error {{ code }} — Ironforge</title>
+<style>
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
+    background: #0f0f0f; color: #e0e0e0;
+    min-height: 100vh;
+    display: flex; flex-direction: column;
+    align-items: center; justify-content: center;
+    padding: 2rem;
+  }
+  .code { font-size: 4rem; font-weight: 700; color: #e8a832; }
+  .msg { font-size: 1rem; color: #888; margin: 1rem 0 2rem; text-align: center; max-width: 400px; line-height: 1.5; }
+  a {
+    color: #e8a832; text-decoration: none;
+    border: 1px solid #2a2a2a; padding: 0.6rem 1.5rem;
+    border-radius: 8px; font-size: 0.9rem;
+  }
+  a:hover { border-color: #e8a832; }
+</style>
+</head>
+<body>
+  <div class="code">{{ code }}</div>
+  <div class="msg">{{ message }}</div>
+  <a href="/">Back to Home</a>
+</body>
+</html>

ironforge/templates/index.html

@@ -208,6 +208,7 @@ <h1>IRONFORGE</h1>
   <div class="progress-label" id="progress-label">Block A — Goals</div>
 
   <form id="intake" action="/generate" method="POST">
+    <input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
 
     <!-- ═══ BLOCK A: GOALS ═══ -->
     <div class="section active" data-step="0" data-label="Block A — Goals">