TDvorak/SEEN
1
0
Fork 0
mirror of https://github.com/Dvorinka/SEEN.git synced 2026-06-03 20:13:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
5c500a72b064b38b269f3bca4d40619549390313
SEEN/SECURITY.md
T
Tomas Dvorak 5c500a72b0 small fix, don't worry about it
2026-04-10 12:06:24 +02:00

295 lines
7.2 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 0.1.x | :white_check_mark: |
## Security Best Practices
### Before Production Deployment
1. **Generate Strong Secrets**
```bash
./scripts/generate-secrets.sh
```
- Use the generated JWT secret (minimum 32 bytes)
- Use the generated database password
- Never use default or example secrets
2. **Enable HTTPS/TLS**
- Use Let's Encrypt for free SSL certificates
- Configure Caddy, Nginx, or Traefik for TLS termination
- Redirect all HTTP traffic to HTTPS
- Enable HSTS headers
3. **Secure Database**
- Change default database credentials
- Use strong passwords (20+ characters)
- Don't expose database port to public internet
- Enable SSL/TLS for database connections in production
- Regular backups with encryption
4. **Secure Cache**
- Set a password for Dragonfly/Redis in production
- Don't expose cache port to public internet
- Use network isolation
5. **Configure CORS**
- Set `SEEN_CORS_ALLOWED_ORIGINS` to your domain only
- Don't use wildcard (*) in production
- Validate origin headers
6. **Enable Rate Limiting**
- Configure `SEEN_RATE_LIMIT_ENABLED=true`
- Adjust limits based on your needs
- Monitor for abuse
7. **Secure Cookies**
- Set `SEEN_SECURE_COOKIES=true` in production
- Cookies will only be sent over HTTPS
- Enable SameSite protection
8. **Environment Files**
- Never commit `.env` files to version control
- Use `.env.production.local` for production secrets
- Restrict file permissions: `chmod 600 .env.production.local`
- Consider using a secrets manager (Vault, AWS Secrets Manager)
## Security Headers
The following security headers are configured in `frontend/nginx.conf`:
- **X-Frame-Options**: Prevents clickjacking attacks
- **X-Content-Type-Options**: Prevents MIME sniffing
- **X-XSS-Protection**: Enables browser XSS protection
- **Referrer-Policy**: Controls referrer information
- **Permissions-Policy**: Restricts browser features
- **Content-Security-Policy**: Prevents XSS and injection attacks
## Authentication Security
### JWT Tokens
- Access tokens expire after 15 minutes (configurable)
- Refresh tokens expire after 7 days (configurable)
- Tokens are signed with HS256 algorithm
- JWT secret must be at least 32 bytes
### Password Security
- Passwords hashed with bcrypt (cost factor 12)
- Minimum password requirements enforced
- No password stored in plain text
- Session tokens stored securely
### Session Management
- Sessions stored in Dragonfly cache
- Automatic session expiration
- Refresh token rotation
- Logout invalidates all tokens
## API Security
### Rate Limiting
Default limits (configurable):
- 100 requests per minute per user
- Applies to all authenticated endpoints
- Returns 429 Too Many Requests when exceeded
### Input Validation
- All inputs validated and sanitized
- SQL injection protection via parameterized queries
- XSS protection via output encoding
- File upload validation (when implemented)
### CORS Configuration
Production CORS settings:
```bash
SEEN_CORS_ALLOWED_ORIGINS=https://yourdomain.com
SEEN_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
SEEN_CORS_ALLOWED_HEADERS=Content-Type,Authorization
SEEN_CORS_ALLOW_CREDENTIALS=true
```
## Infrastructure Security
### Docker Security
1. **Non-root User**
- Backend runs as non-root user (UID 10001)
- Minimal attack surface
2. **Resource Limits**
- CPU and memory limits configured
- Prevents resource exhaustion attacks
3. **Network Isolation**
- Services communicate via internal network
- Only necessary ports exposed
4. **Image Security**
- Use official base images
- Regular updates for security patches
- Minimal image size
### Database Security
1. **Access Control**
- Strong password required
- Limited to internal network
- Connection pooling configured
2. **Backup Security**
- Automated daily backups
- Encrypted backup storage recommended
- 7-day retention policy
3. **Monitoring**
- Health checks enabled
- Connection monitoring
- Query logging (optional)
### Cache Security
1. **Access Control**
- Password protection in production
- Limited to internal network
- Memory limits configured
2. **Data Expiration**
- Automatic TTL on all cached data
- LRU eviction policy
- Regular cleanup
## Monitoring and Logging
### Security Logging
- All authentication attempts logged
- Failed login attempts tracked
- API access logged with request IDs
- Error logging with stack traces (dev only)
### Log Security
- Logs stored in JSON format
- No sensitive data in logs (passwords, tokens)
- Log rotation configured (10MB max, 3 files)
- Centralized logging recommended
### Monitoring
- Health check endpoints for uptime monitoring
- Metrics endpoint for Prometheus (optional)
- Alert on failed health checks
- Monitor for unusual activity
## Vulnerability Reporting
If you discover a security vulnerability, please email: security@yourdomain.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and provide updates on the fix timeline.
## Security Updates
- Security patches released as soon as possible
- Critical vulnerabilities announced via GitHub Security Advisories
- Regular dependency updates
- Subscribe to security mailing list (coming soon)
## Compliance
### Data Protection
- User passwords hashed and salted
- Session tokens encrypted
- No plain text storage of sensitive data
- Data retention policies configurable
### Privacy
- Minimal data collection
- User data not shared with third parties
- TMDB and IGDB API calls server-side only
- No tracking or analytics by default
## Security Checklist
Before deploying to production:
- [ ] Strong JWT secret generated (32+ bytes)
- [ ] Strong database password set
- [ ] HTTPS/TLS enabled with valid certificate
- [ ] Security headers configured
- [ ] CORS properly configured
- [ ] Rate limiting enabled
- [ ] Secure cookies enabled
- [ ] Database not exposed to internet
- [ ] Cache not exposed to internet
- [ ] Firewall configured
- [ ] Backups enabled and tested
- [ ] Log rotation configured
- [ ] Resource limits set
- [ ] Environment files secured
- [ ] Dependencies updated
- [ ] Security scan completed
## Security Tools
### Recommended Tools
1. **Dependency Scanning**
```bash
# Frontend
cd frontend && npm audit
# Backend
cd backend && go list -json -m all | nancy sleuth
```
2. **Container Scanning**
```bash
docker scan seen-backend
docker scan seen-frontend
```
3. **SSL Testing**
```bash
# Test SSL configuration
testssl.sh https://yourdomain.com
```
4. **Security Headers**
```bash
# Check security headers
curl -I https://yourdomain.com
```
## Additional Resources
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Docker Security Best Practices](https://docs.docker.com/engine/security/)
- [Go Security Best Practices](https://golang.org/doc/security/)
- [SolidJS Security](https://www.solidjs.com/guides/security)
## License
This security policy is part of the SEEN project and follows the same license.
---
**Last Updated**: April 6, 2026
**Version**: 1.0.0
Reference in New Issue View Git Blame Copy Permalink