3.1 KiB
3.1 KiB
Security Review (Public Launch Baseline)
Purpose
This document tracks launch-critical security findings for app, data, users, and host exposure, plus current mitigation status.
Findings and Status
- Direct home-IP exposure increases scanning and DDoS risk.
- Status: Partially mitigated.
- Mitigations in repo:
- TLS + HTTPS redirect (
docker/nginx/fiddy.conf) - request rate limits (
docker/nginx/fiddy.conf) - connection cap (
docker/nginx/fiddy.conf)
- TLS + HTTPS redirect (
- Required ops actions:
- enforce host firewall allowlist rules
- restrict SSH to VPN or fixed allowlist
- consider optional upstream shielding (Cloudflare free tier)
- API abuse risk (auth and write endpoints).
- Status: Mitigated.
- Mitigations in repo:
- server-side rate limiting (
apps/web/lib/server/rate-limit.ts) - auth route limiter integration (
apps/web/app/api/auth/login/route.ts,apps/web/app/api/auth/register/route.ts) - write-path limiter integration in server services (
apps/web/lib/server/*.ts) - proxy rate limits (
docker/nginx/fiddy.conf)
- server-side rate limiting (
- Sensitive log exposure risk.
- Status: Mitigated.
- Mitigations in repo:
- invite/token/password redaction in error logging (
apps/web/lib/server/errors.ts) - invite metadata stores last4 only (
apps/web/lib/server/groups.ts,apps/web/lib/server/group-invites.ts) - removed client debug console output (
apps/web/components/tag-input.tsx)
- invite/token/password redaction in error logging (
- Request traceability gaps for incident response.
- Status: Mitigated.
- Mitigations in repo:
- API response includes
request_id+requestIdcompatibility alias - request-id propagation through proxy (
docker/nginx/includes/fiddy-proxy.conf) - request-id response header (
docker/nginx/fiddy.conf) - structured JSON access logging (
docker/nginx/fiddy.conf) - nginx log ingestion by promtail (
docker/observability/promtail-config.yml)
- API response includes
- Session and auth contract risk.
- Status: Mitigated.
- Mitigations in repo:
- DB-backed sessions with HttpOnly cookie use preserved (
apps/web/lib/server/session.ts, auth routes) - route/service authorization remains server-side (
apps/web/lib/server/group-access.ts, service modules)
- DB-backed sessions with HttpOnly cookie use preserved (
- Data leakage risk for receipt bytes.
- Status: Mitigated.
- Mitigations in repo:
- entries list services do not return receipt bytes (
apps/web/lib/server/entries.ts) - receipt bytes remain separate retrieval flow by contract
- entries list services do not return receipt bytes (
Open Operational Tasks (Not Code)
- Rotate all production secrets before public launch.
- Run weekly restore drill and track measured RTO/RPO.
- Enable host-level ban tooling (Fail2ban or CrowdSec) on nginx logs.
- Create Grafana alerts for:
- elevated 5xx rate
- repeated 401/403 spikes
- DB connectivity failures
- disk usage thresholds
Verification Checklist
npm run lintpasses (warnings acceptable for now).npm testpasses.npm run buildpasses.- Production host firewall rules verified (
scripts/harden-host-ufw.sh+scripts/check-host-security.sh). - SSH restricted to VPN/allowlist.
- Backup restore drill logged for current week (
scripts/restore-drill-postgres.sh).