marcoallegretti/likwid
1
0
Fork 0
mirror of https://codeberg.org/likwid/likwid.git synced 2026-02-10 05:23:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
likwid/docs/admin/security.md
Marco Allegretti 910a6465f2 Initial commit: Likwid governance platform 
- Backend: Rust/Axum with PostgreSQL, plugin architecture
- Frontend: Astro with polished UI
- Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic
- Features: Liquid delegation, transparent moderation, structured deliberation
- Documentation: User and admin guides in /docs
- Deployment: Docker/Podman compose files for production and demo
- Demo: Seeded data with 3 communities, 13 users, 7 proposals

License: AGPLv3
2026-01-27 17:21:58 +01:00

2.1 KiB
Raw Blame History

Security Best Practices

Securing your Likwid instance.

Authentication

JWT Tokens

  • Use a strong, random JWT_SECRET (64+ characters)
  • Tokens expire after 24 hours by default
  • Refresh tokens are not stored server-side

Password Policy

  • Minimum 8 characters (configurable)
  • Bcrypt hashing with cost factor 12
  • No password in logs or error messages

Two-Factor Authentication

Enable 2FA support for users:

  • TOTP (Time-based One-Time Password)
  • Backup codes for recovery

Network Security

HTTPS

Always use HTTPS in production:

  • Obtain certificates (Let's Encrypt recommended)
  • Configure reverse proxy for TLS termination
  • Enable HSTS headers

CORS

Restrict CORS in production:

CORS_ALLOWED_ORIGINS=https://likwid.example.org

Rate Limiting

Protect against abuse:

  • 100 requests/minute per IP (default)
  • 1000 requests/minute per authenticated user
  • Configurable per endpoint

Database Security

Connection

  • Use SSL for database connections
  • Dedicated database user with minimal privileges
  • Strong, unique password

Backups

  • Regular automated backups
  • Encrypted backup storage
  • Test restore procedures

API Security

Input Validation

All inputs are validated:

  • Type checking
  • Length limits
  • Sanitization

SQL Injection

  • Parameterized queries only (SQLx)
  • No raw SQL string concatenation

XSS Prevention

  • HTML escaping in templates
  • Content Security Policy headers
  • No inline scripts in production

Moderation Audit Trail

All moderation actions are logged:

  • Who performed the action
  • What action was taken
  • Why (reason required)
  • When it happened

Logs are immutable and tamper-evident.

Updates

Keep Likwid updated:

  • Watch the repository for security announcements
  • Apply patches promptly
  • Test updates in staging first

Incident Response

If you discover a security issue:

  1. Document the incident
  2. Assess impact
  3. Contain the breach
  4. Notify affected users if required
  5. Report to Likwid security team

Reporting Vulnerabilities

Report security issues to: security@likwid.org

We follow responsible disclosure practices.