# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Security Best Practices

### Before Production Deployment

1. **Generate Strong Secrets**
   ```bash
   ./scripts/generate-secrets.sh
   ```
   - Use the generated JWT secret (minimum 32 bytes)
   - Use the generated database password
   - Never use default or example secrets

2. **Enable HTTPS/TLS**
   - Use Let's Encrypt for free SSL certificates
   - Configure Caddy, Nginx, or Traefik for TLS termination
   - Redirect all HTTP traffic to HTTPS
   - Enable HSTS headers

3. **Secure Database**
   - Change default database credentials
   - Use strong passwords (20+ characters)
   - Don't expose database port to public internet
   - Enable SSL/TLS for database connections in production
   - Regular backups with encryption

4. **Secure Cache**
   - Set a password for Dragonfly/Redis in production
   - Don't expose cache port to public internet
   - Use network isolation

5. **Configure CORS**
   - Set `SEEN_CORS_ALLOWED_ORIGINS` to your domain only
   - Don't use wildcard (*) in production
   - Validate origin headers

6. **Enable Rate Limiting**
   - Configure `SEEN_RATE_LIMIT_ENABLED=true`
   - Adjust limits based on your needs
   - Monitor for abuse

7. **Secure Cookies**
   - Set `SEEN_SECURE_COOKIES=true` in production
   - Cookies will only be sent over HTTPS
   - Enable SameSite protection

8. **Environment Files**
   - Never commit `.env` files to version control
   - Use `.env.production.local` for production secrets
   - Restrict file permissions: `chmod 600 .env.production.local`
   - Consider using a secrets manager (Vault, AWS Secrets Manager)

## Security Headers

The following security headers are configured in `frontend/nginx.conf`:

- **X-Frame-Options**: Prevents clickjacking attacks
- **X-Content-Type-Options**: Prevents MIME sniffing
- **X-XSS-Protection**: Enables browser XSS protection
- **Referrer-Policy**: Controls referrer information
- **Permissions-Policy**: Restricts browser features
- **Content-Security-Policy**: Prevents XSS and injection attacks

## Authentication Security

### JWT Tokens

- Access tokens expire after 15 minutes (configurable)
- Refresh tokens expire after 7 days (configurable)
- Tokens are signed with HS256 algorithm
- JWT secret must be at least 32 bytes

### Password Security

- Passwords hashed with bcrypt (cost factor 12)
- Minimum password requirements enforced
- No password stored in plain text
- Session tokens stored securely

### Session Management

- Sessions stored in Dragonfly cache
- Automatic session expiration
- Refresh token rotation
- Logout invalidates all tokens

## API Security

### Rate Limiting

Default limits (configurable):
- 100 requests per minute per user
- Applies to all authenticated endpoints
- Returns 429 Too Many Requests when exceeded

### Input Validation

- All inputs validated and sanitized
- SQL injection protection via parameterized queries
- XSS protection via output encoding
- File upload validation (when implemented)

### CORS Configuration

Production CORS settings:
```bash
SEEN_CORS_ALLOWED_ORIGINS=https://yourdomain.com
SEEN_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
SEEN_CORS_ALLOWED_HEADERS=Content-Type,Authorization
SEEN_CORS_ALLOW_CREDENTIALS=true
```

## Infrastructure Security

### Docker Security

1. **Non-root User**
   - Backend runs as non-root user (UID 10001)
   - Minimal attack surface

2. **Resource Limits**
   - CPU and memory limits configured
   - Prevents resource exhaustion attacks

3. **Network Isolation**
   - Services communicate via internal network
   - Only necessary ports exposed

4. **Image Security**
   - Use official base images
   - Regular updates for security patches
   - Minimal image size

### Database Security

1. **Access Control**
   - Strong password required
   - Limited to internal network
   - Connection pooling configured

2. **Backup Security**
   - Automated daily backups
   - Encrypted backup storage recommended
   - 7-day retention policy

3. **Monitoring**
   - Health checks enabled
   - Connection monitoring
   - Query logging (optional)

### Cache Security

1. **Access Control**
   - Password protection in production
   - Limited to internal network
   - Memory limits configured

2. **Data Expiration**
   - Automatic TTL on all cached data
   - LRU eviction policy
   - Regular cleanup

## Monitoring and Logging

### Security Logging

- All authentication attempts logged
- Failed login attempts tracked
- API access logged with request IDs
- Error logging with stack traces (dev only)

### Log Security

- Logs stored in JSON format
- No sensitive data in logs (passwords, tokens)
- Log rotation configured (10MB max, 3 files)
- Centralized logging recommended

### Monitoring

- Health check endpoints for uptime monitoring
- Metrics endpoint for Prometheus (optional)
- Alert on failed health checks
- Monitor for unusual activity

## Vulnerability Reporting

If you discover a security vulnerability, please email: security@yourdomain.com

Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

We will respond within 48 hours and provide updates on the fix timeline.

## Security Updates

- Security patches released as soon as possible
- Critical vulnerabilities announced via GitHub Security Advisories
- Regular dependency updates
- Subscribe to security mailing list (coming soon)

## Compliance

### Data Protection

- User passwords hashed and salted
- Session tokens encrypted
- No plain text storage of sensitive data
- Data retention policies configurable

### Privacy

- Minimal data collection
- User data not shared with third parties
- TMDB and IGDB API calls server-side only
- No tracking or analytics by default

## Security Checklist

Before deploying to production:

- [ ] Strong JWT secret generated (32+ bytes)
- [ ] Strong database password set
- [ ] HTTPS/TLS enabled with valid certificate
- [ ] Security headers configured
- [ ] CORS properly configured
- [ ] Rate limiting enabled
- [ ] Secure cookies enabled
- [ ] Database not exposed to internet
- [ ] Cache not exposed to internet
- [ ] Firewall configured
- [ ] Backups enabled and tested
- [ ] Log rotation configured
- [ ] Resource limits set
- [ ] Environment files secured
- [ ] Dependencies updated
- [ ] Security scan completed

## Security Tools

### Recommended Tools

1. **Dependency Scanning**
   ```bash
   # Frontend
   cd frontend && npm audit
   
   # Backend
   cd backend && go list -json -m all | nancy sleuth
   ```

2. **Container Scanning**
   ```bash
   docker scan seen-backend
   docker scan seen-frontend
   ```

3. **SSL Testing**
   ```bash
   # Test SSL configuration
   testssl.sh https://yourdomain.com
   ```

4. **Security Headers**
   ```bash
   # Check security headers
   curl -I https://yourdomain.com
   ```

## Additional Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Docker Security Best Practices](https://docs.docker.com/engine/security/)
- [Go Security Best Practices](https://golang.org/doc/security/)
- [SolidJS Security](https://www.solidjs.com/guides/security)

## License

This security policy is part of the SEEN project and follows the same license.

---

**Last Updated**: April 6, 2026  
**Version**: 1.0.0