likwid/docs/admin/security.md

# Security Best Practices

Securing your Likwid instance.

## Authentication

### JWT Tokens
- Use a strong, random `JWT_SECRET` (64+ characters)
- Tokens expire after 24 hours by default
- Refresh tokens are not stored server-side

### Password Policy
- Minimum 8 characters (configurable)
- Bcrypt hashing with cost factor 12
- No password in logs or error messages

### Two-Factor Authentication
Enable 2FA support for users:
- TOTP (Time-based One-Time Password)
- Backup codes for recovery

## Network Security

### HTTPS
Always use HTTPS in production:
- Obtain certificates (Let's Encrypt recommended)
- Configure reverse proxy for TLS termination
- Enable HSTS headers

### CORS
Restrict CORS in production:
```
CORS_ALLOWED_ORIGINS=https://likwid.example.org
```

### Rate Limiting
Protect against abuse:
- 300 requests/minute per IP (default)
- 1200 requests/minute per authenticated user
- 30 requests/minute per IP for auth endpoints

## Database Security

### Connection
- Use SSL for database connections
- Dedicated database user with minimal privileges
- Strong, unique password

### Backups
- Regular automated backups
- Encrypted backup storage
- Test restore procedures

## API Security

### Input Validation
All inputs are validated:
- Type checking
- Length limits
- Sanitization

### SQL Injection
- Parameterized queries only (SQLx)
- No raw SQL string concatenation

### XSS Prevention
- HTML escaping in templates
- Content Security Policy headers
- No inline scripts in production

## Moderation Audit Trail

All moderation actions are logged:
- Who performed the action
- What action was taken
- Why (reason required)
- When it happened

Logs are immutable and tamper-evident.

## Updates

Keep Likwid updated:
- Watch the repository for security announcements
- Apply patches promptly
- Test updates in staging first

## Incident Response

If you discover a security issue:
1. Document the incident
2. Assess impact
3. Contain the breach
4. Notify affected users if required
5. Report to Likwid security team

## Reporting Vulnerabilities

Report security issues to: security@likwid.org

We follow responsible disclosure practices.
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`# Security Best Practices`

			`Securing your Likwid instance.`

			`## Authentication`

			`### JWT Tokens`
			- Use a strong, random `JWT_SECRET` (64+ characters)
			`- Tokens expire after 24 hours by default`
			`- Refresh tokens are not stored server-side`

			`### Password Policy`
			`- Minimum 8 characters (configurable)`
			`- Bcrypt hashing with cost factor 12`
			`- No password in logs or error messages`

			`### Two-Factor Authentication`
			`Enable 2FA support for users:`
			`- TOTP (Time-based One-Time Password)`
			`- Backup codes for recovery`

			`## Network Security`

			`### HTTPS`
			`Always use HTTPS in production:`
			`- Obtain certificates (Let's Encrypt recommended)`
			`- Configure reverse proxy for TLS termination`
			`- Enable HSTS headers`

			`### CORS`
			`Restrict CORS in production:`
			```
			`CORS_ALLOWED_ORIGINS=https://likwid.example.org`
			```

			`### Rate Limiting`
			`Protect against abuse:`
backend: add configurable rate limiting 2026-02-02 17:51:14 +00:00			`- 300 requests/minute per IP (default)`
			`- 1200 requests/minute per authenticated user`
			`- 30 requests/minute per IP for auth endpoints`
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00
			`## Database Security`

			`### Connection`
			`- Use SSL for database connections`
			`- Dedicated database user with minimal privileges`
			`- Strong, unique password`

			`### Backups`
			`- Regular automated backups`
			`- Encrypted backup storage`
			`- Test restore procedures`

			`## API Security`

			`### Input Validation`
			`All inputs are validated:`
			`- Type checking`
			`- Length limits`
			`- Sanitization`

			`### SQL Injection`
			`- Parameterized queries only (SQLx)`
			`- No raw SQL string concatenation`

			`### XSS Prevention`
			`- HTML escaping in templates`
			`- Content Security Policy headers`
			`- No inline scripts in production`

			`## Moderation Audit Trail`

			`All moderation actions are logged:`
			`- Who performed the action`
			`- What action was taken`
			`- Why (reason required)`
			`- When it happened`

			`Logs are immutable and tamper-evident.`

			`## Updates`

			`Keep Likwid updated:`
			`- Watch the repository for security announcements`
			`- Apply patches promptly`
			`- Test updates in staging first`

			`## Incident Response`

			`If you discover a security issue:`
			`1. Document the incident`
			`2. Assess impact`
			`3. Contain the breach`
			`4. Notify affected users if required`
			`5. Report to Likwid security team`

			`## Reporting Vulnerabilities`

			`Report security issues to: security@likwid.org`

			`We follow responsible disclosure practices.`