mirror of
https://codeberg.org/likwid/likwid.git
synced 2026-02-09 21:13:09 +00:00
Marco Allegretti
910a6465f2
- Backend: Rust/Axum with PostgreSQL, plugin architecture - Frontend: Astro with polished UI - Voting methods: Approval, Ranked Choice, Schulze, STAR, Quadratic - Features: Liquid delegation, transparent moderation, structured deliberation - Documentation: User and admin guides in /docs - Deployment: Docker/Podman compose files for production and demo - Demo: Seeded data with 3 communities, 13 users, 7 proposals License: AGPLv3
101 lines
2.1 KiB
Markdown
101 lines
2.1 KiB
Markdown
# Security Best Practices
|
|
|
|
Securing your Likwid instance.
|
|
|
|
## Authentication
|
|
|
|
### JWT Tokens
|
|
- Use a strong, random `JWT_SECRET` (64+ characters)
|
|
- Tokens expire after 24 hours by default
|
|
- Refresh tokens are not stored server-side
|
|
|
|
### Password Policy
|
|
- Minimum 8 characters (configurable)
|
|
- Bcrypt hashing with cost factor 12
|
|
- No password in logs or error messages
|
|
|
|
### Two-Factor Authentication
|
|
Enable 2FA support for users:
|
|
- TOTP (Time-based One-Time Password)
|
|
- Backup codes for recovery
|
|
|
|
## Network Security
|
|
|
|
### HTTPS
|
|
Always use HTTPS in production:
|
|
- Obtain certificates (Let's Encrypt recommended)
|
|
- Configure reverse proxy for TLS termination
|
|
- Enable HSTS headers
|
|
|
|
### CORS
|
|
Restrict CORS in production:
|
|
```
|
|
CORS_ALLOWED_ORIGINS=https://likwid.example.org
|
|
```
|
|
|
|
### Rate Limiting
|
|
Protect against abuse:
|
|
- 100 requests/minute per IP (default)
|
|
- 1000 requests/minute per authenticated user
|
|
- Configurable per endpoint
|
|
|
|
## Database Security
|
|
|
|
### Connection
|
|
- Use SSL for database connections
|
|
- Dedicated database user with minimal privileges
|
|
- Strong, unique password
|
|
|
|
### Backups
|
|
- Regular automated backups
|
|
- Encrypted backup storage
|
|
- Test restore procedures
|
|
|
|
## API Security
|
|
|
|
### Input Validation
|
|
All inputs are validated:
|
|
- Type checking
|
|
- Length limits
|
|
- Sanitization
|
|
|
|
### SQL Injection
|
|
- Parameterized queries only (SQLx)
|
|
- No raw SQL string concatenation
|
|
|
|
### XSS Prevention
|
|
- HTML escaping in templates
|
|
- Content Security Policy headers
|
|
- No inline scripts in production
|
|
|
|
## Moderation Audit Trail
|
|
|
|
All moderation actions are logged:
|
|
- Who performed the action
|
|
- What action was taken
|
|
- Why (reason required)
|
|
- When it happened
|
|
|
|
Logs are immutable and tamper-evident.
|
|
|
|
## Updates
|
|
|
|
Keep Likwid updated:
|
|
- Watch the repository for security announcements
|
|
- Apply patches promptly
|
|
- Test updates in staging first
|
|
|
|
## Incident Response
|
|
|
|
If you discover a security issue:
|
|
1. Document the incident
|
|
2. Assess impact
|
|
3. Contain the breach
|
|
4. Notify affected users if required
|
|
5. Report to Likwid security team
|
|
|
|
## Reporting Vulnerabilities
|
|
|
|
Report security issues to: security@likwid.org
|
|
|
|
We follow responsible disclosure practices.
|