mirror of
https://codeberg.org/likwid/likwid.git
synced 2026-03-27 03:03:09 +00:00
131 lines
2.7 KiB
Markdown
131 lines
2.7 KiB
Markdown
# Security Best Practices
|
|
|
|
Securing your Likwid instance.
|
|
|
|
## Authentication
|
|
|
|
### JWT Tokens
|
|
|
|
- Use a strong, random `JWT_SECRET` (64+ characters)
|
|
- Tokens expire after 24 hours by default
|
|
- Refresh tokens are not stored server-side
|
|
|
|
### Password Policy
|
|
|
|
- Minimum 8 characters
|
|
- Argon2 password hashing (server-side)
|
|
- No password in logs or error messages
|
|
|
|
## Network Security
|
|
|
|
### HTTPS
|
|
|
|
Always use HTTPS in production:
|
|
|
|
- Obtain certificates (Let's Encrypt recommended)
|
|
- Configure reverse proxy for TLS termination
|
|
- Enable HSTS headers
|
|
|
|
### Security Headers
|
|
|
|
The backend sets a small set of security headers on responses by default:
|
|
|
|
- `X-Content-Type-Options: nosniff`
|
|
- `X-Frame-Options: DENY`
|
|
- `Referrer-Policy: no-referrer`
|
|
- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
|
|
- `X-Permitted-Cross-Domain-Policies: none`
|
|
|
|
Set `Strict-Transport-Security` (HSTS) on your reverse proxy, because the backend does not know whether requests arrived via HTTPS.
|
|
|
|
### CORS
|
|
|
|
Restrict CORS in production:
|
|
|
|
```bash
|
|
CORS_ALLOWED_ORIGINS=https://likwid.example.org
|
|
```
|
|
|
|
For multiple origins, use a comma-separated list:
|
|
|
|
```bash
|
|
CORS_ALLOWED_ORIGINS=https://openlikwid.org,https://staging.openlikwid.org
|
|
```
|
|
|
|
### Rate Limiting
|
|
|
|
Protect against abuse:
|
|
|
|
- 300 requests/minute per IP (default)
|
|
- 1200 requests/minute per authenticated user
|
|
- 30 requests/minute per IP for auth endpoints
|
|
|
|
If you run the backend behind a reverse proxy, configure `TRUSTED_PROXY_IPS` so the backend can safely use `X-Forwarded-For` / `X-Real-IP` when applying per-IP limits.
|
|
|
|
## Database Security
|
|
|
|
### Connection
|
|
|
|
- Use SSL for database connections
|
|
- Dedicated database user with minimal privileges
|
|
- Strong, unique password
|
|
|
|
### Backups
|
|
|
|
- Regular automated backups
|
|
- Encrypted backup storage
|
|
- Test restore procedures
|
|
|
|
## API Security
|
|
|
|
### Input Validation
|
|
|
|
All inputs are validated:
|
|
|
|
- Type checking
|
|
- Length limits
|
|
- Sanitization
|
|
|
|
### SQL Injection
|
|
|
|
- Parameterized queries only (SQLx)
|
|
- No raw SQL string concatenation
|
|
|
|
### XSS Prevention
|
|
|
|
- HTML escaping in templates
|
|
- Content Security Policy headers
|
|
- No inline scripts in production
|
|
|
|
## Moderation Audit Trail
|
|
|
|
Moderation actions are recorded:
|
|
|
|
- Who performed the action
|
|
- What action was taken
|
|
- Why (reason required)
|
|
- When it happened
|
|
|
|
## Updates
|
|
|
|
Keep Likwid updated:
|
|
|
|
- Watch the repository for security announcements
|
|
- Apply patches promptly
|
|
- Test updates in staging first
|
|
|
|
## Incident Response
|
|
|
|
If you discover a security issue:
|
|
|
|
1. Document the incident
|
|
2. Assess impact
|
|
3. Contain the breach
|
|
4. Notify affected users if required
|
|
5. Report to Likwid security team
|
|
|
|
## Reporting Vulnerabilities
|
|
|
|
Report security issues to: [security@likwid.org](mailto:security@likwid.org)
|
|
|
|
We follow responsible disclosure practices.
|