likwid/docs/admin/security.md

# Security Best Practices

Securing your Likwid instance.

## Authentication

### JWT Tokens

- Use a strong, random `JWT_SECRET` (64+ characters)
- Tokens expire after 24 hours by default
- Refresh tokens are not stored server-side

### Password Policy

- Minimum 8 characters (configurable)
- Bcrypt hashing with cost factor 12
- No password in logs or error messages

### Two-Factor Authentication

Enable 2FA support for users:

- TOTP (Time-based One-Time Password)
- Backup codes for recovery

## Network Security

### HTTPS

Always use HTTPS in production:

- Obtain certificates (Let's Encrypt recommended)
- Configure reverse proxy for TLS termination
- Enable HSTS headers

### Security Headers

The backend sets a small set of security headers on responses by default:

- `X-Content-Type-Options: nosniff`
- `X-Frame-Options: DENY`
- `Referrer-Policy: no-referrer`
- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
- `X-Permitted-Cross-Domain-Policies: none`

Set `Strict-Transport-Security` (HSTS) on your reverse proxy, because the backend does not know whether requests arrived via HTTPS.

### CORS

Restrict CORS in production:

```bash
CORS_ALLOWED_ORIGINS=https://likwid.example.org
```

For multiple origins, use a comma-separated list:

```bash
CORS_ALLOWED_ORIGINS=https://openlikwid.org,https://staging.openlikwid.org
```

### Rate Limiting

Protect against abuse:

- 300 requests/minute per IP (default)
- 1200 requests/minute per authenticated user
- 30 requests/minute per IP for auth endpoints

## Database Security

### Connection

- Use SSL for database connections
- Dedicated database user with minimal privileges
- Strong, unique password

### Backups

- Regular automated backups
- Encrypted backup storage
- Test restore procedures

## API Security

### Input Validation

All inputs are validated:

- Type checking
- Length limits
- Sanitization

### SQL Injection

- Parameterized queries only (SQLx)
- No raw SQL string concatenation

### XSS Prevention

- HTML escaping in templates
- Content Security Policy headers
- No inline scripts in production

## Moderation Audit Trail

All moderation actions are logged:

- Who performed the action
- What action was taken
- Why (reason required)
- When it happened

Logs are immutable and tamper-evident.

## Updates

Keep Likwid updated:

- Watch the repository for security announcements
- Apply patches promptly
- Test updates in staging first

## Incident Response

If you discover a security issue:

1. Document the incident
2. Assess impact
3. Contain the breach
4. Notify affected users if required
5. Report to Likwid security team

## Reporting Vulnerabilities

Report security issues to: [security@likwid.org](mailto:security@likwid.org)

We follow responsible disclosure practices.
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`# Security Best Practices`

			`Securing your Likwid instance.`

			`## Authentication`

			`### JWT Tokens`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			- Use a strong, random `JWT_SECRET` (64+ characters)
			`- Tokens expire after 24 hours by default`
			`- Refresh tokens are not stored server-side`

			`### Password Policy`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- Minimum 8 characters (configurable)`
			`- Bcrypt hashing with cost factor 12`
			`- No password in logs or error messages`

			`### Two-Factor Authentication`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`Enable 2FA support for users:`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- TOTP (Time-based One-Time Password)`
			`- Backup codes for recovery`

			`## Network Security`

			`### HTTPS`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`Always use HTTPS in production:`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- Obtain certificates (Let's Encrypt recommended)`
			`- Configure reverse proxy for TLS termination`
			`- Enable HSTS headers`

security: add default security headers 2026-02-12 12:41:51 +00:00			`### Security Headers`

			`The backend sets a small set of security headers on responses by default:`

			- `X-Content-Type-Options: nosniff`
			- `X-Frame-Options: DENY`
			- `Referrer-Policy: no-referrer`
			- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
			- `X-Permitted-Cross-Domain-Policies: none`

			Set `Strict-Transport-Security` (HSTS) on your reverse proxy, because the backend does not know whether requests arrived via HTTPS.

Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`### CORS`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`Restrict CORS in production:`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
			```bash
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`CORS_ALLOWED_ORIGINS=https://likwid.example.org`
			```

security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00			`For multiple origins, use a comma-separated list:`

			```bash
			`CORS_ALLOWED_ORIGINS=https://openlikwid.org,https://staging.openlikwid.org`
			```

Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`### Rate Limiting`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`Protect against abuse:`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
backend: add configurable rate limiting 2026-02-02 17:51:14 +00:00			`- 300 requests/minute per IP (default)`
			`- 1200 requests/minute per authenticated user`
			`- 30 requests/minute per IP for auth endpoints`
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00
			`## Database Security`

			`### Connection`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- Use SSL for database connections`
			`- Dedicated database user with minimal privileges`
			`- Strong, unique password`

			`### Backups`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- Regular automated backups`
			`- Encrypted backup storage`
			`- Test restore procedures`

			`## API Security`

			`### Input Validation`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`All inputs are validated:`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- Type checking`
			`- Length limits`
			`- Sanitization`

			`### SQL Injection`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- Parameterized queries only (SQLx)`
			`- No raw SQL string concatenation`

			`### XSS Prevention`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- HTML escaping in templates`
			`- Content Security Policy headers`
			`- No inline scripts in production`

			`## Moderation Audit Trail`

			`All moderation actions are logged:`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- Who performed the action`
			`- What action was taken`
			`- Why (reason required)`
			`- When it happened`

			`Logs are immutable and tamper-evident.`

			`## Updates`

			`Keep Likwid updated:`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`- Watch the repository for security announcements`
			`- Apply patches promptly`
			`- Test updates in staging first`

			`## Incident Response`

			`If you discover a security issue:`
security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00			`1. Document the incident`
			`2. Assess impact`
			`3. Contain the breach`
			`4. Notify affected users if required`
			`5. Report to Likwid security team`

			`## Reporting Vulnerabilities`

security: configurable CORS allowlist 2026-02-12 11:17:11 +00:00			`Report security issues to: [security@likwid.org](mailto:security@likwid.org)`
Initial commit: Likwid governance platform - Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3 2026-01-27 16:21:58 +00:00
			`We follow responsible disclosure practices.`