75 lines
3.3 KiB
Markdown
75 lines
3.3 KiB
Markdown
# Security Review (Public Launch Baseline)
|
|
|
|
## Purpose
|
|
This document tracks launch-critical security findings for app, data, users, and host exposure, plus current mitigation status.
|
|
|
|
## Findings and Status
|
|
|
|
1. Direct home-IP exposure increases scanning and DDoS risk.
|
|
- Status: Partially mitigated.
|
|
- Mitigations in repo:
|
|
- TLS + HTTPS redirect (`docker/nginx/fiddy.conf`)
|
|
- request rate limits (`docker/nginx/fiddy.conf`)
|
|
- connection cap (`docker/nginx/fiddy.conf`)
|
|
- Required ops actions:
|
|
- enforce host firewall allowlist rules
|
|
- restrict SSH to VPN or fixed allowlist
|
|
- consider optional upstream shielding (Cloudflare free tier)
|
|
|
|
2. API abuse risk (auth and write endpoints).
|
|
- Status: Mitigated.
|
|
- Mitigations in repo:
|
|
- server-side rate limiting (`apps/web/lib/server/rate-limit.ts`)
|
|
- auth route limiter integration (`apps/web/app/api/auth/login/route.ts`, `apps/web/app/api/auth/register/route.ts`)
|
|
- write-path limiter integration in server services (`apps/web/lib/server/*.ts`)
|
|
- proxy rate limits (`docker/nginx/fiddy.conf`)
|
|
|
|
3. Sensitive log exposure risk.
|
|
- Status: Mitigated.
|
|
- Mitigations in repo:
|
|
- invite/token/password redaction in error logging (`apps/web/lib/server/errors.ts`)
|
|
- invite metadata stores last4 only (`apps/web/lib/server/groups.ts`, `apps/web/lib/server/group-invites.ts`)
|
|
- removed client debug console output (`apps/web/components/tag-input.tsx`)
|
|
|
|
4. Request traceability gaps for incident response.
|
|
- Status: Mitigated.
|
|
- Mitigations in repo:
|
|
- API response includes `request_id` + `requestId` compatibility alias
|
|
- request-id propagation through proxy (`docker/nginx/includes/fiddy-proxy.conf`)
|
|
- request-id response header (`docker/nginx/fiddy.conf`)
|
|
- structured JSON access logging (`docker/nginx/fiddy.conf`)
|
|
- nginx log ingestion by promtail (`docker/observability/promtail-config.yml`)
|
|
|
|
5. Session and auth contract risk.
|
|
- Status: Mitigated.
|
|
- Mitigations in repo:
|
|
- DB-backed sessions with HttpOnly cookie use preserved (`apps/web/lib/server/session.ts`, auth routes)
|
|
- route/service authorization remains server-side (`apps/web/lib/server/group-access.ts`, service modules)
|
|
|
|
6. Data leakage risk for receipt bytes.
|
|
- Status: Mitigated.
|
|
- Mitigations in repo:
|
|
- entries list services do not return receipt bytes (`apps/web/lib/server/entries.ts`)
|
|
- receipt bytes remain separate retrieval flow by contract
|
|
|
|
## Open Operational Tasks (Not Code)
|
|
1. Rotate all production secrets before public launch.
|
|
2. Run weekly restore drill and track measured RTO/RPO.
|
|
3. Enable host-level ban tooling (Fail2ban or CrowdSec) on nginx logs.
|
|
4. Create Grafana alerts for:
|
|
- elevated 5xx rate
|
|
- repeated 401/403 spikes
|
|
- DB connectivity failures
|
|
- disk usage thresholds
|
|
|
|
## Verification Checklist
|
|
- [x] `npm run lint` passes (warnings acceptable for now).
|
|
- [x] `npm test` passes.
|
|
- [x] `npm run build` passes.
|
|
- [ ] Production host firewall rules verified (`scripts/harden-host-ufw.sh` + `scripts/check-host-security.sh`).
|
|
- [ ] SSH restricted to VPN/allowlist.
|
|
- [ ] Backup restore drill logged for current week (`scripts/restore-drill-postgres.sh`).
|
|
- [ ] Backup restore drill logged for current week (`scripts/restore-drill-postgres.sh` + `scripts/log-restore-drill.sh`).
|
|
- [ ] Base backup job configured and validated (`scripts/basebackup-postgres.sh`).
|
|
- [ ] Auto-ban tooling configured (fail2ban or crowdsec) from `docker/security/`.
|