Enhance security architecture and guidelines across documentation and middleware; implement input validation, logging improvements, and security headers in API handlers.
This commit is contained in:
Leon Bösche
@@ -174,6 +174,60 @@ SSL termination and request routing.
|
||||
│◀─────────────────────────────│
|
||||
```
|
||||
|
||||
## Security Architecture
|
||||
|
||||
### Authentication & Authorization
|
||||
|
||||
- **Passkeys (WebAuthn)**: Primary authentication method using FIDO2/U2F security keys
|
||||
- **JWT Tokens**: Session-based tokens with configurable expiration
|
||||
- **Role-Based Access Control (RBAC)**: Owner, Admin, Member roles for organizations
|
||||
- **Permission System**: Granular permissions for file operations (read, write, view, edit)
|
||||
|
||||
### Input Validation & Sanitization
|
||||
|
||||
- **Path Traversal Protection**: All file paths are sanitized to prevent directory traversal attacks
|
||||
- **UUID Validation**: All resource IDs (users, orgs, files) are validated as proper UUIDs
|
||||
- **JSON Schema Validation**: API inputs are validated for correct structure and types
|
||||
|
||||
### Network Security
|
||||
|
||||
- **HTTPS Only**: All external traffic is encrypted via TLS
|
||||
- **CORS Policy**: Restricted to allowed origins with credentials support
|
||||
- **Rate Limiting**: 100 requests/minute general, 10 requests/minute for auth endpoints
|
||||
- **Security Headers**:
|
||||
- `X-Content-Type-Options: nosniff`
|
||||
- `X-Frame-Options: DENY` (except for WOPI/Collabora)
|
||||
- `X-XSS-Protection: 1; mode=block`
|
||||
- `Content-Security-Policy`: Restrictive policy allowing only necessary sources
|
||||
- `Referrer-Policy: strict-origin-when-cross-origin`
|
||||
|
||||
### Data Protection
|
||||
|
||||
- **Encrypted Storage**: Files stored encrypted in Nextcloud
|
||||
- **Secure Passwords**: Auto-generated secure passwords for Nextcloud user accounts
|
||||
- **Audit Logging**: All operations logged with user/org context
|
||||
- **No Secrets in Logs**: Sensitive data never logged
|
||||
|
||||
### API Security
|
||||
|
||||
- **Token Validation**: Every protected endpoint validates JWT tokens
|
||||
- **Session Management**: Secure session handling with database-backed validation
|
||||
- **Error Handling**: Safe error responses that don't leak internal details
|
||||
|
||||
### File Security
|
||||
|
||||
- **Scoped Access**: Users can only access files within their personal workspace or authorized organizations
|
||||
- **Share Tokens**: Public shares use short-lived, single-use tokens
|
||||
- **Nextcloud Integration**: Leverages Nextcloud's security features for file access
|
||||
|
||||
### Infrastructure Security
|
||||
|
||||
- **Container Security**: Docker images run as non-root where possible
|
||||
- **Network Isolation**: Internal Docker networks prevent direct external access
|
||||
- **Deployment Security**: Automated deployments with health checks
|
||||
|
||||
## Data Flow
|
||||
|
||||
### File Upload Flow
|
||||
|
||||
```
|
||||
|
||||
@@ -25,6 +25,34 @@ This guide covers local development setup, coding conventions, and contribution
|
||||
- **TablePlus** or **DBeaver** for database management
|
||||
- **Postman** or **Bruno** for API testing
|
||||
|
||||
## Security Guidelines
|
||||
|
||||
### Code Security
|
||||
|
||||
- **Never log secrets**: Passwords, tokens, keys must never appear in logs
|
||||
- **Validate all inputs**: Use `sanitizePath()` for file paths, validate UUIDs
|
||||
- **Use structured errors**: Return safe error messages that don't leak internal details
|
||||
- **HTTPS only**: All API calls must use HTTPS in production
|
||||
- **Input sanitization**: All user inputs must be validated and sanitized
|
||||
|
||||
### Authentication
|
||||
|
||||
- **JWT tokens**: Use secure, short-lived tokens
|
||||
- **Session validation**: Always validate sessions against database
|
||||
- **Passkey security**: Follow WebAuthn best practices
|
||||
|
||||
### File Operations
|
||||
|
||||
- **Path validation**: Prevent directory traversal with proper path sanitization
|
||||
- **Permission checks**: Verify user permissions before file operations
|
||||
- **Scoped access**: Users can only access authorized files/orgs
|
||||
|
||||
### Development Security
|
||||
|
||||
- **Local secrets**: Use `.env` files, never commit secrets
|
||||
- **Test with security**: Include security tests in development
|
||||
- **Review code**: Security review for all changes
|
||||
|
||||
## Project Setup
|
||||
|
||||
### 1. Clone the Repository
|
||||
|
||||
@@ -98,6 +98,17 @@ This document describes the security architecture, configurations, and best prac
|
||||
- `INTERNAL` (500)
|
||||
- **No Secrets in Logs**: Passwords and tokens are never logged
|
||||
|
||||
### Security Headers
|
||||
|
||||
The application sets comprehensive security headers:
|
||||
|
||||
- **X-Content-Type-Options**: `nosniff` - Prevents MIME type sniffing
|
||||
- **X-Frame-Options**: `DENY` - Prevents clickjacking (except for WOPI endpoints)
|
||||
- **X-XSS-Protection**: `1; mode=block` - Enables XSS filtering
|
||||
- **Content-Security-Policy**: Restrictive policy allowing only necessary sources
|
||||
- **Referrer-Policy**: `strict-origin-when-cross-origin` - Controls referrer information
|
||||
- **CORS**: Restricted to allowed origins with credentials support
|
||||
|
||||
## Network Security
|
||||
|
||||
### TLS Configuration
|
||||
|
||||
Reference in New Issue
Block a user