mirror of https://codeberg.org/likwid/likwid.git synced 2026-06-25 07:27:42 +00:00

Marco Allegretti a61ec18913 backend, compose, docs, +1: modify 13 files

Verified changes:
- modify backend/.env.example
- modify backend/src/api/auth.rs
- modify backend/src/config/mod.rs
- modify backend/src/rate_limit.rs
- modify compose/.env.demo.example
- modify compose/.env.production.example
- modify compose/demo.yml
- modify compose/production.yml
- modify docs/admin/configuration.md
- modify docs/admin/installation.md
- modify docs/admin/opensuse-operator-kit.md
- modify docs/admin/security.md
- modify frontend/src/middleware.ts

Diffstat:
- 13 files changed, 243 insertions(+), 41 deletions(-)

2026-02-24 19:45:42 +01:00

2.7 KiB

Raw Blame History

Security Best Practices

Securing your Likwid instance.

Authentication

JWT Tokens

Use a strong, random JWT_SECRET (64+ characters)
Tokens expire after 24 hours by default
Refresh tokens are not stored server-side

Password Policy

Minimum 8 characters
Argon2 password hashing (server-side)
No password in logs or error messages

Network Security

HTTPS

Always use HTTPS in production:

Obtain certificates (Let's Encrypt recommended)
Configure reverse proxy for TLS termination
Enable HSTS headers

Security Headers

The backend sets a small set of security headers on responses by default:

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: no-referrer
Permissions-Policy: camera=(), microphone=(), geolocation=()
X-Permitted-Cross-Domain-Policies: none

Set Strict-Transport-Security (HSTS) on your reverse proxy, because the backend does not know whether requests arrived via HTTPS.

CORS

Restrict CORS in production:

CORS_ALLOWED_ORIGINS=https://likwid.example.org

For multiple origins, use a comma-separated list:

CORS_ALLOWED_ORIGINS=https://openlikwid.org,https://staging.openlikwid.org

Rate Limiting

Protect against abuse:

300 requests/minute per IP (default)
1200 requests/minute per authenticated user
30 requests/minute per IP for auth endpoints

If you run the backend behind a reverse proxy, configure TRUSTED_PROXY_IPS so the backend can safely use X-Forwarded-For / X-Real-IP when applying per-IP limits.

Database Security

Connection

Use SSL for database connections
Dedicated database user with minimal privileges
Strong, unique password

Backups

Regular automated backups
Encrypted backup storage
Test restore procedures

API Security

Input Validation

All inputs are validated:

Type checking
Length limits
Sanitization

SQL Injection

Parameterized queries only (SQLx)
No raw SQL string concatenation

XSS Prevention

HTML escaping in templates
Content Security Policy headers
No inline scripts in production

Moderation Audit Trail

Moderation actions are recorded:

Who performed the action
What action was taken
Why (reason required)
When it happened

Updates

Keep Likwid updated:

Watch the repository for security announcements
Apply patches promptly
Test updates in staging first

Incident Response

If you discover a security issue:

Document the incident
Assess impact
Contain the breach
Notify affected users if required
Report to Likwid security team

Reporting Vulnerabilities

Report security issues to: security@likwid.org

We follow responsible disclosure practices.

2.7 KiB Raw Blame History