# Cloud readiness audit

## Included

- Anonymous HttpOnly player identity cookie (`SameSite=Lax`, optional `Secure`).
- Per-player save/profile namespace with validated identifiers.
- Per-player request serialization and cross-player concurrency.
- Application and Nginx rate limiting.
- 64KB request limit and static path containment.
- CSP, clickjacking, MIME sniffing, referrer and permissions headers.
- Health endpoint and Docker health checks.
- Persistent `data/` volume, restrictive save permissions, and backup script.
- Docker Compose deployment with Nginx reverse proxy.
- Bare-metal systemd and Nginx configuration examples.

## Verified locally

| Test | Result |
|---|---|
| Health endpoint and provider readiness | Pass |
| Two independent anonymous player cookies | Pass |
| Player A cannot read Player B run id | Pass (404) |
| Player A turn does not change Player B turn | Pass |
| Save folders separated by player id | Pass |
| Player folders mode `0700`, JSON mode `0600` | Pass |
| Thirteenth rapid POST in one minute | Pass (429) |
| CSP and common security headers | Pass |
| Refined frontend assets and syntax | Pass |

## Deployment boundary

This package intentionally runs one application container/process on one server. Do not use
`docker compose up --scale app=...`: file saves and in-process locks are designed for a single
app instance. Multiple application replicas require a database and distributed locking.

Deleting the browser identity cookie creates a new anonymous player. Back up `data/` regularly.
The default Compose stack serves HTTP so it can be tested immediately by public IP. Put it behind
HTTPS before a public launch, then enable `COOKIE_SECURE=1` and `ENABLE_HSTS=1`.
