security: implement quick win remediations (FLOOD-001, CLI-002, CLI-003, AUDIT-001)

FLOOD-001: Cap anti-flood request list at configurable max entries
- Add ANTIFLOOD_MAX_ENTRIES config (default 10000)
- Prune oldest entries when limit exceeded

CLI-002: Explicitly set SSL hostname verification
- Add ctx.check_hostname = True and ctx.verify_mode = CERT_REQUIRED
- Defense in depth (create_default_context sets these by default)

CLI-003: Warn on insecure config file permissions
- Check if config file is world-readable
- Print warning to stderr if permissions too open

AUDIT-001: Already implemented - query has LIMIT/OFFSET with 500 max

app/config.py

@@ -84,6 +84,8 @@ class Config:
     ANTIFLOOD_STEP = int(os.environ.get("FLASKPASTE_ANTIFLOOD_STEP", "2"))  # bits per step
     ANTIFLOOD_MAX = int(os.environ.get("FLASKPASTE_ANTIFLOOD_MAX", "28"))  # max difficulty
     ANTIFLOOD_DECAY = int(os.environ.get("FLASKPASTE_ANTIFLOOD_DECAY", "60"))  # seconds to decay
+    # FLOOD-001: Maximum entries in anti-flood request list (memory DoS protection)
+    ANTIFLOOD_MAX_ENTRIES = int(os.environ.get("FLASKPASTE_ANTIFLOOD_MAX_ENTRIES", "10000"))
 
     # URL prefix for reverse proxy deployments (e.g., "/paste" for mymx.me/paste)
     URL_PREFIX = os.environ.get("FLASKPASTE_URL_PREFIX", "").rstrip("/")