TDvorak/SEEN
1
0
Fork 0
mirror of https://github.com/Dvorinka/SEEN.git synced 2026-06-03 20:13:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
5c500a72b064b38b269f3bca4d40619549390313
SEEN/SECURITY.md
T
Tomas Dvorak 5c500a72b0 small fix, don't worry about it
2026-04-10 12:06:24 +02:00

7.2 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
0.1.x

Security Best Practices

Before Production Deployment

  1. Generate Strong Secrets

    ./scripts/generate-secrets.sh
    • Use the generated JWT secret (minimum 32 bytes)
    • Use the generated database password
    • Never use default or example secrets

  2. Enable HTTPS/TLS

    • Use Let's Encrypt for free SSL certificates
    • Configure Caddy, Nginx, or Traefik for TLS termination
    • Redirect all HTTP traffic to HTTPS
    • Enable HSTS headers

  3. Secure Database

    • Change default database credentials
    • Use strong passwords (20+ characters)
    • Don't expose database port to public internet
    • Enable SSL/TLS for database connections in production
    • Regular backups with encryption

  4. Secure Cache

    • Set a password for Dragonfly/Redis in production
    • Don't expose cache port to public internet
    • Use network isolation

  5. Configure CORS

    • Set SEEN_CORS_ALLOWED_ORIGINS to your domain only
    • Don't use wildcard (*) in production
    • Validate origin headers

  6. Enable Rate Limiting

    • Configure SEEN_RATE_LIMIT_ENABLED=true
    • Adjust limits based on your needs
    • Monitor for abuse

  7. Secure Cookies

    • Set SEEN_SECURE_COOKIES=true in production
    • Cookies will only be sent over HTTPS
    • Enable SameSite protection

  8. Environment Files

    • Never commit .env files to version control
    • Use .env.production.local for production secrets
    • Restrict file permissions: chmod 600 .env.production.local
    • Consider using a secrets manager (Vault, AWS Secrets Manager)

Security Headers

The following security headers are configured in frontend/nginx.conf:

  • X-Frame-Options: Prevents clickjacking attacks
  • X-Content-Type-Options: Prevents MIME sniffing
  • X-XSS-Protection: Enables browser XSS protection
  • Referrer-Policy: Controls referrer information
  • Permissions-Policy: Restricts browser features
  • Content-Security-Policy: Prevents XSS and injection attacks

Authentication Security

JWT Tokens

  • Access tokens expire after 15 minutes (configurable)
  • Refresh tokens expire after 7 days (configurable)
  • Tokens are signed with HS256 algorithm
  • JWT secret must be at least 32 bytes

Password Security

  • Passwords hashed with bcrypt (cost factor 12)
  • Minimum password requirements enforced
  • No password stored in plain text
  • Session tokens stored securely

Session Management

  • Sessions stored in Dragonfly cache
  • Automatic session expiration
  • Refresh token rotation
  • Logout invalidates all tokens

API Security

Rate Limiting

Default limits (configurable):

  • 100 requests per minute per user
  • Applies to all authenticated endpoints
  • Returns 429 Too Many Requests when exceeded

Input Validation

  • All inputs validated and sanitized
  • SQL injection protection via parameterized queries
  • XSS protection via output encoding
  • File upload validation (when implemented)

CORS Configuration

Production CORS settings:

SEEN_CORS_ALLOWED_ORIGINS=https://yourdomain.com
SEEN_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
SEEN_CORS_ALLOWED_HEADERS=Content-Type,Authorization
SEEN_CORS_ALLOW_CREDENTIALS=true

Infrastructure Security

Docker Security

  1. Non-root User

    • Backend runs as non-root user (UID 10001)
    • Minimal attack surface

  2. Resource Limits

    • CPU and memory limits configured
    • Prevents resource exhaustion attacks

  3. Network Isolation

    • Services communicate via internal network
    • Only necessary ports exposed

  4. Image Security

    • Use official base images
    • Regular updates for security patches
    • Minimal image size

Database Security

  1. Access Control

    • Strong password required
    • Limited to internal network
    • Connection pooling configured

  2. Backup Security

    • Automated daily backups
    • Encrypted backup storage recommended
    • 7-day retention policy

  3. Monitoring

    • Health checks enabled
    • Connection monitoring
    • Query logging (optional)

Cache Security

  1. Access Control

    • Password protection in production
    • Limited to internal network
    • Memory limits configured

  2. Data Expiration

    • Automatic TTL on all cached data
    • LRU eviction policy
    • Regular cleanup

Monitoring and Logging

Security Logging

  • All authentication attempts logged
  • Failed login attempts tracked
  • API access logged with request IDs
  • Error logging with stack traces (dev only)

Log Security

  • Logs stored in JSON format
  • No sensitive data in logs (passwords, tokens)
  • Log rotation configured (10MB max, 3 files)
  • Centralized logging recommended

Monitoring

  • Health check endpoints for uptime monitoring
  • Metrics endpoint for Prometheus (optional)
  • Alert on failed health checks
  • Monitor for unusual activity

Vulnerability Reporting

If you discover a security vulnerability, please email: security@yourdomain.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

We will respond within 48 hours and provide updates on the fix timeline.

Security Updates

  • Security patches released as soon as possible
  • Critical vulnerabilities announced via GitHub Security Advisories
  • Regular dependency updates
  • Subscribe to security mailing list (coming soon)

Compliance

Data Protection

  • User passwords hashed and salted
  • Session tokens encrypted
  • No plain text storage of sensitive data
  • Data retention policies configurable

Privacy

  • Minimal data collection
  • User data not shared with third parties
  • TMDB and IGDB API calls server-side only
  • No tracking or analytics by default

Security Checklist

Before deploying to production:

  • Strong JWT secret generated (32+ bytes)
  • Strong database password set
  • HTTPS/TLS enabled with valid certificate
  • Security headers configured
  • CORS properly configured
  • Rate limiting enabled
  • Secure cookies enabled
  • Database not exposed to internet
  • Cache not exposed to internet
  • Firewall configured
  • Backups enabled and tested
  • Log rotation configured
  • Resource limits set
  • Environment files secured
  • Dependencies updated
  • Security scan completed

Security Tools

Recommended Tools

  1. Dependency Scanning

    # Frontend
cd frontend && npm audit

# Backend
cd backend && go list -json -m all | nancy sleuth

  2. Container Scanning

    docker scan seen-backend
docker scan seen-frontend

  3. SSL Testing

    # Test SSL configuration
testssl.sh https://yourdomain.com

  4. Security Headers

    # Check security headers
curl -I https://yourdomain.com

Additional Resources

License

This security policy is part of the SEEN project and follows the same license.

Last Updated: April 6, 2026
Version: 1.0.0

Reference in New Issue View Git Blame Copy Permalink