nalalangan/fiddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
52af2a755c
fiddy/docs/06_SECURITY_REVIEW.md
Nico f8e426542d
Some checks failed
Build & Deploy Fiddy (Dokploy) / build (push) Has been cancelled
Details
Build & Deploy Fiddy (Dokploy) / deploy (push) Has been cancelled
Details
feat: implement schedules pivot, scheduler service, and dokploy deploy flow
2026-02-15 17:10:58 -08:00

74 lines
3.3 KiB
Markdown
Raw Blame History

# Security Review (Public Launch Baseline)
## Purpose
This document tracks launch-critical security findings for app, data, users, and host exposure, plus current mitigation status.
## Findings and Status
1. Direct home-IP exposure increases scanning and DDoS risk.
- Status: Partially mitigated.
- Mitigations in repo:
- TLS + HTTPS redirect (apply via existing Nginx using `docker/nginx/fiddy.conf` template)
- request rate limits (existing Nginx with `docker/nginx/fiddy.conf` template)
- connection cap (existing Nginx with `docker/nginx/fiddy.conf` template)
- Required ops actions:
- enforce host firewall allowlist rules
- restrict SSH to VPN or fixed allowlist
- consider optional upstream shielding (Cloudflare free tier)
2. API abuse risk (auth and write endpoints).
- Status: Mitigated.
- Mitigations in repo:
- server-side rate limiting (`apps/web/lib/server/rate-limit.ts`)
- auth route limiter integration (`apps/web/app/api/auth/login/route.ts`, `apps/web/app/api/auth/register/route.ts`)
- write-path limiter integration in server services (`apps/web/lib/server/*.ts`)
- proxy rate limits (`docker/nginx/fiddy.conf`)
3. Sensitive log exposure risk.
- Status: Mitigated.
- Mitigations in repo:
- invite/token/password redaction in error logging (`apps/web/lib/server/errors.ts`)
- invite metadata stores last4 only (`apps/web/lib/server/groups.ts`, `apps/web/lib/server/group-invites.ts`)
- removed client debug console output (`apps/web/components/tag-input.tsx`)
4. Request traceability gaps for incident response.
- Status: Mitigated.
- Mitigations in repo:
- API response includes `request_id` + `requestId` compatibility alias
- request-id propagation through proxy (`docker/nginx/includes/fiddy-proxy.conf`)
- request-id response header (`docker/nginx/fiddy.conf`)
- structured JSON access logging (`docker/nginx/fiddy.conf`)
- nginx log ingestion by promtail (`docker/observability/promtail-config.yml`)
5. Session and auth contract risk.
- Status: Mitigated.
- Mitigations in repo:
- DB-backed sessions with HttpOnly cookie use preserved (`apps/web/lib/server/session.ts`, auth routes)
- route/service authorization remains server-side (`apps/web/lib/server/group-access.ts`, service modules)
6. Data leakage risk for receipt bytes.
- Status: Mitigated.
- Mitigations in repo:
- entries list services do not return receipt bytes (`apps/web/lib/server/entries.ts`)
- receipt bytes remain separate retrieval flow by contract
## Open Operational Tasks (Not Code)
1. Rotate all production secrets before public launch.
2. Run weekly restore drill and track measured RTO/RPO.
3. Enable host-level ban tooling (Fail2ban or CrowdSec) on nginx logs.
4. Create Grafana alerts for:
- elevated 5xx rate
- repeated 401/403 spikes
- DB connectivity failures
- disk usage thresholds
## Verification Checklist
- [x] `npm run lint` passes (warnings acceptable for now).
- [x] `npm test` passes.
- [x] `npm run build` passes.
- [ ] Production host firewall rules verified (`scripts/harden-host-ufw.sh` + `scripts/check-host-security.sh`).
- [ ] SSH restricted to VPN/allowlist.
- [ ] Backup restore drill logged for current week (`scripts/restore-drill-postgres.sh` + `scripts/log-restore-drill.sh`).
- [ ] Base backup job configured and validated (`scripts/basebackup-postgres.sh`).
- [ ] Auto-ban tooling configured (fail2ban or crowdsec) from `docker/security/`.
Reference in New Issue View Git Blame Copy Permalink