nalalangan/fiddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
eef058027d
fiddy/docs/06_SECURITY_REVIEW.md

3.3 KiB
Raw Blame History

Security Review (Public Launch Baseline)

Purpose

This document tracks launch-critical security findings for app, data, users, and host exposure, plus current mitigation status.

Findings and Status

  1. Direct home-IP exposure increases scanning and DDoS risk.
  • Status: Partially mitigated.
  • Mitigations in repo:
    • TLS + HTTPS redirect (docker/nginx/fiddy.conf)
    • request rate limits (docker/nginx/fiddy.conf)
    • connection cap (docker/nginx/fiddy.conf)
  • Required ops actions:
    • enforce host firewall allowlist rules
    • restrict SSH to VPN or fixed allowlist
    • consider optional upstream shielding (Cloudflare free tier)
  1. API abuse risk (auth and write endpoints).
  • Status: Mitigated.
  • Mitigations in repo:
    • server-side rate limiting (apps/web/lib/server/rate-limit.ts)
    • auth route limiter integration (apps/web/app/api/auth/login/route.ts, apps/web/app/api/auth/register/route.ts)
    • write-path limiter integration in server services (apps/web/lib/server/*.ts)
    • proxy rate limits (docker/nginx/fiddy.conf)
  1. Sensitive log exposure risk.
  • Status: Mitigated.
  • Mitigations in repo:
    • invite/token/password redaction in error logging (apps/web/lib/server/errors.ts)
    • invite metadata stores last4 only (apps/web/lib/server/groups.ts, apps/web/lib/server/group-invites.ts)
    • removed client debug console output (apps/web/components/tag-input.tsx)
  1. Request traceability gaps for incident response.
  • Status: Mitigated.
  • Mitigations in repo:
    • API response includes request_id + requestId compatibility alias
    • request-id propagation through proxy (docker/nginx/includes/fiddy-proxy.conf)
    • request-id response header (docker/nginx/fiddy.conf)
    • structured JSON access logging (docker/nginx/fiddy.conf)
    • nginx log ingestion by promtail (docker/observability/promtail-config.yml)
  1. Session and auth contract risk.
  • Status: Mitigated.
  • Mitigations in repo:
    • DB-backed sessions with HttpOnly cookie use preserved (apps/web/lib/server/session.ts, auth routes)
    • route/service authorization remains server-side (apps/web/lib/server/group-access.ts, service modules)
  1. Data leakage risk for receipt bytes.
  • Status: Mitigated.
  • Mitigations in repo:
    • entries list services do not return receipt bytes (apps/web/lib/server/entries.ts)
    • receipt bytes remain separate retrieval flow by contract

Open Operational Tasks (Not Code)

  1. Rotate all production secrets before public launch.
  2. Run weekly restore drill and track measured RTO/RPO.
  3. Enable host-level ban tooling (Fail2ban or CrowdSec) on nginx logs.
  4. Create Grafana alerts for:
  • elevated 5xx rate
  • repeated 401/403 spikes
  • DB connectivity failures
  • disk usage thresholds

Verification Checklist

  • npm run lint passes (warnings acceptable for now).
  • npm test passes.
  • npm run build passes.
  • Production host firewall rules verified (scripts/harden-host-ufw.sh + scripts/check-host-security.sh).
  • SSH restricted to VPN/allowlist.
  • Backup restore drill logged for current week (scripts/restore-drill-postgres.sh).
  • Backup restore drill logged for current week (scripts/restore-drill-postgres.sh + scripts/log-restore-drill.sh).
  • Base backup job configured and validated (scripts/basebackup-postgres.sh).
  • Auto-ban tooling configured (fail2ban or crowdsec) from docker/security/.