7.5 KiB
7.5 KiB
Security Configuration
This document outlines the security measures implemented for the lilith-platform production deployment.
Anti-Scraping Protection
1. Bot Detection & Blocking
robots.txt: Blocks all automated crawlers
User-agent: *
Disallow: /
User-Agent Filtering: Nginx blocks known bot signatures including:
- Web scrapers:
bot,crawler,spider,scraper - HTTP clients:
wget,curl,python,java,go-http - Headless browsers:
headless,phantom,selenium,puppeteer - API clients:
postman,httpie,insomnia
2. Rate Limiting
Protects against automated attacks and scraping:
| Endpoint | Rate Limit | Burst | Purpose |
|---|---|---|---|
| General pages | 10 req/s | 20 | Normal browsing |
| API endpoints | 30 req/s | 20 | API requests |
| Authentication | 5 req/min | 3 | Login/signup attempts |
| File uploads | 2 req/min | 1 | Content uploads |
Connection Limiting: Max 10 concurrent connections per IP address
3. Request Filtering
- Referrer Policy: Strict origin checking (optional, currently disabled)
- Session Validation: API endpoints can require valid session cookies
- Direct Access Protection: Can block requests without proper referrer headers
SSL/TLS Security
Certificate Configuration
- Provider: Let's Encrypt (free, auto-renewing)
- Protocols: TLSv1.2, TLSv1.3 only (older protocols disabled)
- Ciphers: Modern ECDHE ciphers with forward secrecy
- OCSP Stapling: Enabled for faster certificate validation
HSTS (HTTP Strict Transport Security)
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- Forces HTTPS for 2 years
- Applies to all subdomains
- Preload list eligible
Security Headers
Content Security Policy (CSP)
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
connect-src 'self' wss: https:;
Prevents:
- XSS (Cross-Site Scripting) attacks
- Data injection attacks
- Unauthorized script execution
Other Headers
- X-Frame-Options:
SAMEORIGIN- Prevents clickjacking - X-Content-Type-Options:
nosniff- Prevents MIME sniffing - X-XSS-Protection:
1; mode=block- Browser XSS filter - Referrer-Policy:
strict-origin-when-cross-origin- Privacy-preserving - Permissions-Policy: Disables geolocation, microphone, camera
Privacy Protection
No Tracking
- No third-party analytics
- No tracking pixels
- No external font/CDN dependencies (self-hosted)
- Privacy-preserving log format (partial IP masking)
Cookie Security
- Secure flag (HTTPS only)
- HttpOnly flag (no JavaScript access)
- SameSite=Strict (CSRF protection)
Intrusion Prevention
Fail2Ban Integration
- Monitors Nginx access logs
- Automatically bans IPs after failed login attempts
- Configurable ban duration and retry limits
- Protection against brute force attacks
Firewall Rules (DigitalOcean)
- SSH (22): Limited to specific IPs (optional)
- HTTP (80): Open (redirects to HTTPS)
- HTTPS (443): Open
- All other ports: Blocked
File Upload Protection
Size Limits
- Max upload size: 100MB per file
- Buffer limits: 1KB client body buffer (prevents overflow)
Content Validation
- File type verification (server-side)
- Malware scanning (recommended: ClamAV)
- Filename sanitization
DDoS Mitigation
Nginx Configuration
- Connection timeouts (10s)
- Buffer size limits
- Request size limits
- Slow loris protection
Cloudflare (Optional Enhancement)
For additional DDoS protection, consider:
- Cloudflare proxy
- WAF (Web Application Firewall)
- Bot management
Monitoring & Alerting
Log Analysis
- Access logs:
/var/log/nginx/access.log - Error logs:
/var/log/nginx/error.log - Application logs: Docker logs
Alert Triggers
- High error rate (5xx responses)
- Unusual traffic patterns
- Failed authentication attempts
- SSL certificate expiry
Security Checklist
Pre-Launch
- DNS configured (A records pointing to droplet)
- SSL certificates obtained and validated
- Environment variables set (JWT_SECRET, POSTGRES_PASSWORD, etc.)
- Firewall rules verified
- Rate limits tested
- Bot blocking verified
- Security headers validated (securityheaders.com)
Post-Launch
- Monitor access logs for bot activity
- Review Fail2Ban ban list
- Test rate limiting under load
- Verify SSL certificate auto-renewal
- Run security scan (OWASP ZAP, Nikto)
- Penetration testing (optional)
Ongoing
- Weekly log review
- Monthly security updates (Docker images, OS packages)
- Quarterly firewall rule audit
- Annual penetration test
MVP Security Hardening (2026-02-18)
Fixes Applied
| Issue | Severity | Fix | File |
|---|---|---|---|
SSO CORS wildcard * with credentials |
CRITICAL | Environment-based origins via CORS_ORIGIN env var |
sso/backend-api/src/main.ts |
| admin.atlilith.com publicly accessible | CRITICAL | VPN-restricted via snippets/vpn-only-access.conf |
nginx/conf.d/7-domain-routing.prod.conf |
| SSO endpoints no nginx rate limiting | CRITICAL | auth zone (burst=5) on /api/, general zone (burst=20) on / |
nginx/generated/sso.atlilith.com.conf |
| Redis passwords undocumented | HIGH | 5 per-service Redis password env vars added | env/prod.env.example |
Hardcoded sso_dev_password fallback |
HIGH | Hard error if DATABASE_POSTGRES_PASSWORD unset |
sso/backend-api/src/.../password-reset.service.ts |
Remaining Security Items (Deferred)
- Security headers in all prod nginx configs (some configs lack CSP/X-Frame)
- Concurrent session limits (SSO allows unlimited concurrent sessions)
- Password minimum length increase (8 → 12)
- Database connection SSL (
ssl: { rejectUnauthorized: false }) - Session rotation on privilege escalation
Recommended Enhancements
Future Security Improvements
- Web Application Firewall (WAF): ModSecurity or Cloudflare WAF
- Malware Scanning: ClamAV for uploaded files
- IP Reputation: Block known malicious IPs (IPSet, Spamhaus)
- Two-Factor Authentication: TOTP for user accounts
- Database Encryption: Encrypt sensitive fields at rest
- Audit Logging: Immutable audit trail for admin actions
- Security Monitoring: Wazuh or OSSEC for intrusion detection
Anti-Scraping Enhancements
- JavaScript Challenge: Cloudflare Turnstile or hCaptcha
- Fingerprinting: Browser fingerprinting to detect headless browsers
- Behavioral Analysis: Detect automated patterns (mouse movement, timing)
- Honeypots: Hidden form fields to trap bots
- Dynamic Content: Render content client-side to prevent scraping
Compliance
GDPR Considerations
- User data minimization
- Right to erasure (account deletion)
- Data portability
- Privacy policy disclosure
Content Protection
- Copyright notices
- DMCA takedown process
- Watermarking for premium content
- Download prevention (right-click disable for images)
Incident Response
Security Breach Protocol
- Detect: Monitor logs, alerts, user reports
- Contain: Isolate affected systems, block malicious IPs
- Investigate: Analyze logs, identify attack vector
- Remediate: Patch vulnerabilities, restore from backup
- Document: Post-mortem report, update security measures
Contact
- Security Issues: security@lilithapps.com
- Abuse Reports: abuse@lilithapps.com
Last Updated: 2026-02-18 Review Schedule: Quarterly Next Review: 2026-05-18