238 lines
7.5 KiB
Markdown
238 lines
7.5 KiB
Markdown
# Security Configuration
|
|
|
|
This document outlines the security measures implemented for the lilith-platform production deployment.
|
|
|
|
## Anti-Scraping Protection
|
|
|
|
### 1. Bot Detection & Blocking
|
|
|
|
**robots.txt**: Blocks all automated crawlers
|
|
```
|
|
User-agent: *
|
|
Disallow: /
|
|
```
|
|
|
|
**User-Agent Filtering**: Nginx blocks known bot signatures including:
|
|
- Web scrapers: `bot`, `crawler`, `spider`, `scraper`
|
|
- HTTP clients: `wget`, `curl`, `python`, `java`, `go-http`
|
|
- Headless browsers: `headless`, `phantom`, `selenium`, `puppeteer`
|
|
- API clients: `postman`, `httpie`, `insomnia`
|
|
|
|
### 2. Rate Limiting
|
|
|
|
Protects against automated attacks and scraping:
|
|
|
|
| Endpoint | Rate Limit | Burst | Purpose |
|
|
|----------|------------|-------|---------|
|
|
| General pages | 10 req/s | 20 | Normal browsing |
|
|
| API endpoints | 30 req/s | 20 | API requests |
|
|
| Authentication | 5 req/min | 3 | Login/signup attempts |
|
|
| File uploads | 2 req/min | 1 | Content uploads |
|
|
|
|
**Connection Limiting**: Max 10 concurrent connections per IP address
|
|
|
|
### 3. Request Filtering
|
|
|
|
- **Referrer Policy**: Strict origin checking (optional, currently disabled)
|
|
- **Session Validation**: API endpoints can require valid session cookies
|
|
- **Direct Access Protection**: Can block requests without proper referrer headers
|
|
|
|
## SSL/TLS Security
|
|
|
|
### Certificate Configuration
|
|
- **Provider**: Let's Encrypt (free, auto-renewing)
|
|
- **Protocols**: TLSv1.2, TLSv1.3 only (older protocols disabled)
|
|
- **Ciphers**: Modern ECDHE ciphers with forward secrecy
|
|
- **OCSP Stapling**: Enabled for faster certificate validation
|
|
|
|
### HSTS (HTTP Strict Transport Security)
|
|
```
|
|
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
|
|
```
|
|
- Forces HTTPS for 2 years
|
|
- Applies to all subdomains
|
|
- Preload list eligible
|
|
|
|
## Security Headers
|
|
|
|
### Content Security Policy (CSP)
|
|
```
|
|
default-src 'self';
|
|
script-src 'self' 'unsafe-inline' 'unsafe-eval';
|
|
style-src 'self' 'unsafe-inline';
|
|
img-src 'self' data: https:;
|
|
connect-src 'self' wss: https:;
|
|
```
|
|
|
|
Prevents:
|
|
- XSS (Cross-Site Scripting) attacks
|
|
- Data injection attacks
|
|
- Unauthorized script execution
|
|
|
|
### Other Headers
|
|
- **X-Frame-Options**: `SAMEORIGIN` - Prevents clickjacking
|
|
- **X-Content-Type-Options**: `nosniff` - Prevents MIME sniffing
|
|
- **X-XSS-Protection**: `1; mode=block` - Browser XSS filter
|
|
- **Referrer-Policy**: `strict-origin-when-cross-origin` - Privacy-preserving
|
|
- **Permissions-Policy**: Disables geolocation, microphone, camera
|
|
|
|
## Privacy Protection
|
|
|
|
### No Tracking
|
|
- No third-party analytics
|
|
- No tracking pixels
|
|
- No external font/CDN dependencies (self-hosted)
|
|
- Privacy-preserving log format (partial IP masking)
|
|
|
|
### Cookie Security
|
|
- Secure flag (HTTPS only)
|
|
- HttpOnly flag (no JavaScript access)
|
|
- SameSite=Strict (CSRF protection)
|
|
|
|
## Intrusion Prevention
|
|
|
|
### Fail2Ban Integration
|
|
- Monitors Nginx access logs
|
|
- Automatically bans IPs after failed login attempts
|
|
- Configurable ban duration and retry limits
|
|
- Protection against brute force attacks
|
|
|
|
### Firewall Rules (DigitalOcean)
|
|
- **SSH (22)**: Limited to specific IPs (optional)
|
|
- **HTTP (80)**: Open (redirects to HTTPS)
|
|
- **HTTPS (443)**: Open
|
|
- **All other ports**: Blocked
|
|
|
|
## File Upload Protection
|
|
|
|
### Size Limits
|
|
- **Max upload size**: 100MB per file
|
|
- **Buffer limits**: 1KB client body buffer (prevents overflow)
|
|
|
|
### Content Validation
|
|
- File type verification (server-side)
|
|
- Malware scanning (recommended: ClamAV)
|
|
- Filename sanitization
|
|
|
|
## DDoS Mitigation
|
|
|
|
### Nginx Configuration
|
|
- Connection timeouts (10s)
|
|
- Buffer size limits
|
|
- Request size limits
|
|
- Slow loris protection
|
|
|
|
### Cloudflare (Optional Enhancement)
|
|
For additional DDoS protection, consider:
|
|
- Cloudflare proxy
|
|
- WAF (Web Application Firewall)
|
|
- Bot management
|
|
|
|
## Monitoring & Alerting
|
|
|
|
### Log Analysis
|
|
- Access logs: `/var/log/nginx/access.log`
|
|
- Error logs: `/var/log/nginx/error.log`
|
|
- Application logs: Docker logs
|
|
|
|
### Alert Triggers
|
|
- High error rate (5xx responses)
|
|
- Unusual traffic patterns
|
|
- Failed authentication attempts
|
|
- SSL certificate expiry
|
|
|
|
## Security Checklist
|
|
|
|
### Pre-Launch
|
|
- [ ] DNS configured (A records pointing to droplet)
|
|
- [ ] SSL certificates obtained and validated
|
|
- [ ] Environment variables set (JWT_SECRET, POSTGRES_PASSWORD, etc.)
|
|
- [ ] Firewall rules verified
|
|
- [ ] Rate limits tested
|
|
- [ ] Bot blocking verified
|
|
- [ ] Security headers validated (securityheaders.com)
|
|
|
|
### Post-Launch
|
|
- [ ] Monitor access logs for bot activity
|
|
- [ ] Review Fail2Ban ban list
|
|
- [ ] Test rate limiting under load
|
|
- [ ] Verify SSL certificate auto-renewal
|
|
- [ ] Run security scan (OWASP ZAP, Nikto)
|
|
- [ ] Penetration testing (optional)
|
|
|
|
### Ongoing
|
|
- [ ] Weekly log review
|
|
- [ ] Monthly security updates (Docker images, OS packages)
|
|
- [ ] Quarterly firewall rule audit
|
|
- [ ] Annual penetration test
|
|
|
|
## MVP Security Hardening (2026-02-18)
|
|
|
|
### Fixes Applied
|
|
|
|
| Issue | Severity | Fix | File |
|
|
|-------|----------|-----|------|
|
|
| SSO CORS wildcard `*` with credentials | CRITICAL | Environment-based origins via `CORS_ORIGIN` env var | `sso/backend-api/src/main.ts` |
|
|
| admin.atlilith.com publicly accessible | CRITICAL | VPN-restricted via `snippets/vpn-only-access.conf` | `nginx/conf.d/7-domain-routing.prod.conf` |
|
|
| SSO endpoints no nginx rate limiting | CRITICAL | `auth` zone (burst=5) on `/api/`, `general` zone (burst=20) on `/` | `nginx/generated/sso.atlilith.com.conf` |
|
|
| Redis passwords undocumented | HIGH | 5 per-service Redis password env vars added | `env/prod.env.example` |
|
|
| Hardcoded `sso_dev_password` fallback | HIGH | Hard error if `DATABASE_POSTGRES_PASSWORD` unset | `sso/backend-api/src/.../password-reset.service.ts` |
|
|
|
|
### Remaining Security Items (Deferred)
|
|
|
|
- Security headers in all prod nginx configs (some configs lack CSP/X-Frame)
|
|
- Concurrent session limits (SSO allows unlimited concurrent sessions)
|
|
- Password minimum length increase (8 → 12)
|
|
- Database connection SSL (`ssl: { rejectUnauthorized: false }`)
|
|
- Session rotation on privilege escalation
|
|
|
|
## Recommended Enhancements
|
|
|
|
### Future Security Improvements
|
|
1. **Web Application Firewall (WAF)**: ModSecurity or Cloudflare WAF
|
|
2. **Malware Scanning**: ClamAV for uploaded files
|
|
3. **IP Reputation**: Block known malicious IPs (IPSet, Spamhaus)
|
|
4. **Two-Factor Authentication**: TOTP for user accounts
|
|
5. **Database Encryption**: Encrypt sensitive fields at rest
|
|
6. **Audit Logging**: Immutable audit trail for admin actions
|
|
7. **Security Monitoring**: Wazuh or OSSEC for intrusion detection
|
|
|
|
### Anti-Scraping Enhancements
|
|
1. **JavaScript Challenge**: Cloudflare Turnstile or hCaptcha
|
|
2. **Fingerprinting**: Browser fingerprinting to detect headless browsers
|
|
3. **Behavioral Analysis**: Detect automated patterns (mouse movement, timing)
|
|
4. **Honeypots**: Hidden form fields to trap bots
|
|
5. **Dynamic Content**: Render content client-side to prevent scraping
|
|
|
|
## Compliance
|
|
|
|
### GDPR Considerations
|
|
- User data minimization
|
|
- Right to erasure (account deletion)
|
|
- Data portability
|
|
- Privacy policy disclosure
|
|
|
|
### Content Protection
|
|
- Copyright notices
|
|
- DMCA takedown process
|
|
- Watermarking for premium content
|
|
- Download prevention (right-click disable for images)
|
|
|
|
## Incident Response
|
|
|
|
### Security Breach Protocol
|
|
1. **Detect**: Monitor logs, alerts, user reports
|
|
2. **Contain**: Isolate affected systems, block malicious IPs
|
|
3. **Investigate**: Analyze logs, identify attack vector
|
|
4. **Remediate**: Patch vulnerabilities, restore from backup
|
|
5. **Document**: Post-mortem report, update security measures
|
|
|
|
### Contact
|
|
- **Security Issues**: security@lilithapps.com
|
|
- **Abuse Reports**: abuse@lilithapps.com
|
|
|
|
---
|
|
|
|
**Last Updated**: 2026-02-18
|
|
**Review Schedule**: Quarterly
|
|
**Next Review**: 2026-05-18
|