b0esche/b0esche_cloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c27f4be6cb03d4f4efef1683c39cf60b3ef5ba6f
b0esche_cloud/docs/SECURITY.md

6.4 KiB
Raw Blame History

b0esche.cloud Security Guide

This document describes the security architecture, configurations, and best practices for b0esche.cloud.

Security Architecture Overview

                              Internet
                                  │
                                  ▼
                        ┌─────────────────┐
                        │   Traefik       │ ← Only public entrypoint
                        │  (443, 80)      │   TLS termination
                        └────────┬────────┘
                                 │
                 ┌───────────────┼───────────────┐
                 ▼               ▼               ▼
          ┌──────────┐    ┌──────────┐    ┌──────────┐
          │ Flutter  │    │  Go API  │    │Collabora │
          │  Web     │    │ Backend  │    │ Online   │
          └──────────┘    └────┬─────┘    └──────────┘
                               │
                 ┌─────────────┼─────────────┐
                 ▼             ▼             ▼
          ┌──────────┐  ┌──────────┐  ┌──────────┐
          │PostgreSQL│  │Nextcloud │  │  Redis   │
          │(internal)│  │(storage) │  │(sessions)│
          └──────────┘  └──────────┘  └──────────┘

Authentication Security

Primary: Passkeys (WebAuthn)

  • Protocol: WebAuthn/FIDO2 standard
  • Cryptography: ECDSA with P-256 or RSA with 2048+ bits
  • Origin Binding: Strictly bound to https://b0esche.cloud
  • RP ID: b0esche.cloud
  • Challenge Generation: 32 bytes of cryptographically secure random data
  • Challenge Expiry: 60 seconds

Fallback: Password Authentication

  • Hashing: Argon2id (OWASP recommended parameters)
    • Time: 2 iterations
    • Memory: 19 MB
    • Threads: 1
    • Key Length: 32 bytes
  • Password Requirements: Minimum 8 characters (enforced server-side)

Session Management

  • Token Format: JWT (HS256)
  • Token Lifetime: 15 minutes (auto-refresh enabled)
  • Session Storage: Database-backed with revocation support
  • Session Validation: Every request validates session is not revoked

Authorization

Role-Based Access Control (RBAC)

Role Level Permissions
superadmin 3 Full system access, user management
admin 2 Organization management, user roles
user 1 Personal files, org membership

Organization Scoping

  • All file operations are scoped to authenticated user + organization
  • Membership verification on every org-scoped request
  • Permission checks via middleware pipeline

API Security

Rate Limiting

  • General Endpoints: 100 requests/minute per IP
  • Auth Endpoints: 10 requests/minute per IP (brute-force protection)
  • Implementation: Sliding window algorithm

Input Validation

  • Path Traversal Prevention: All file paths are sanitized
    • .. sequences are rejected
    • Paths are cleaned and normalized
  • UUID Validation: All IDs are validated as proper UUIDs
  • File Size Limits: 32MB maximum upload size

Output Security

  • No Stack Traces: Error responses never include stack traces
  • Structured Errors: Consistent error format with codes:
    • UNAUTHENTICATED (401)
    • PERMISSION_DENIED (403)
    • NOT_FOUND (404)
    • INVALID_ARGUMENT (400)
    • INTERNAL (500)
  • No Secrets in Logs: Passwords and tokens are never logged

Security Headers

The application sets comprehensive security headers:

  • X-Content-Type-Options: nosniff - Prevents MIME type sniffing
  • X-Frame-Options: DENY - Prevents clickjacking (except for WOPI endpoints)
  • X-XSS-Protection: 1; mode=block - Enables XSS filtering
  • Content-Security-Policy: Restrictive policy allowing only necessary sources
  • Referrer-Policy: strict-origin-when-cross-origin - Controls referrer information
  • CORS: Restricted to allowed origins with credentials support

Network Security

TLS Configuration

  • Protocol: TLS 1.2 minimum (TLS 1.3 preferred)
  • Certificate: Let's Encrypt (auto-renewed via DNS-01 challenge)
  • HSTS: Enabled with 1-year max-age

CORS Policy

  • Allowed Origins:
    • https://b0esche.cloud
    • https://www.b0esche.cloud
    • https://*.b0esche.cloud
  • Credentials: Allowed
  • Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
  • Max Age: 3600 seconds

Port Exposure

Port Service Exposed To
443 Traefik (HTTPS) Internet
80 Traefik (HTTP→HTTPS) Internet
22 SSH Internet (key-only)
8080 Go Backend Internal only
5432 PostgreSQL Internal only
9980 Collabora Internal only

Secure Development Practices

Code Security Checklist

  • No hardcoded secrets
  • No debug logging of sensitive data
  • Input validation on all endpoints
  • Path sanitization for file operations
  • Parameterized SQL queries (no string concatenation)
  • Error responses don't leak internal details

Deployment Security

  • Production secrets via environment variables only
  • .env files excluded from git
  • Docker containers run as non-root where possible
  • Regular dependency updates

Incident Response

Logging

All security-relevant events are logged:

  • Login attempts (success/failure)
  • Session creation/revocation
  • Permission denials
  • Rate limit violations
  • File access (view/edit/delete)

Log Format

[LEVEL] req_id=<uuid> user_id=<uuid> org_id=<uuid> action=<string>: message

Audit Trail

The activities table stores:

  • User actions (file operations, org changes)
  • Timestamps
  • Associated resources
  • Success/failure status

Security Contacts

For security issues, contact the system administrator directly. Do not report security vulnerabilities in public issue trackers.

Changelog

Date Change
2026-01-13 Initial security documentation
2026-01-13 Removed debug password logging
2026-01-13 Added rate limiting
2026-01-13 Added path traversal protection
Reference in New Issue View Git Blame Copy Permalink