platform-deployments/SECURITY.md

238 lines
7.5 KiB
Markdown

# Security Configuration
This document outlines the security measures implemented for the lilith-platform production deployment.
## Anti-Scraping Protection
### 1. Bot Detection & Blocking
**robots.txt**: Blocks all automated crawlers
```
User-agent: *
Disallow: /
```
**User-Agent Filtering**: Nginx blocks known bot signatures including:
- Web scrapers: `bot`, `crawler`, `spider`, `scraper`
- HTTP clients: `wget`, `curl`, `python`, `java`, `go-http`
- Headless browsers: `headless`, `phantom`, `selenium`, `puppeteer`
- API clients: `postman`, `httpie`, `insomnia`
### 2. Rate Limiting
Protects against automated attacks and scraping:
| Endpoint | Rate Limit | Burst | Purpose |
|----------|------------|-------|---------|
| General pages | 10 req/s | 20 | Normal browsing |
| API endpoints | 30 req/s | 20 | API requests |
| Authentication | 5 req/min | 3 | Login/signup attempts |
| File uploads | 2 req/min | 1 | Content uploads |
**Connection Limiting**: Max 10 concurrent connections per IP address
### 3. Request Filtering
- **Referrer Policy**: Strict origin checking (optional, currently disabled)
- **Session Validation**: API endpoints can require valid session cookies
- **Direct Access Protection**: Can block requests without proper referrer headers
## SSL/TLS Security
### Certificate Configuration
- **Provider**: Let's Encrypt (free, auto-renewing)
- **Protocols**: TLSv1.2, TLSv1.3 only (older protocols disabled)
- **Ciphers**: Modern ECDHE ciphers with forward secrecy
- **OCSP Stapling**: Enabled for faster certificate validation
### HSTS (HTTP Strict Transport Security)
```
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
```
- Forces HTTPS for 2 years
- Applies to all subdomains
- Preload list eligible
## Security Headers
### Content Security Policy (CSP)
```
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
connect-src 'self' wss: https:;
```
Prevents:
- XSS (Cross-Site Scripting) attacks
- Data injection attacks
- Unauthorized script execution
### Other Headers
- **X-Frame-Options**: `SAMEORIGIN` - Prevents clickjacking
- **X-Content-Type-Options**: `nosniff` - Prevents MIME sniffing
- **X-XSS-Protection**: `1; mode=block` - Browser XSS filter
- **Referrer-Policy**: `strict-origin-when-cross-origin` - Privacy-preserving
- **Permissions-Policy**: Disables geolocation, microphone, camera
## Privacy Protection
### No Tracking
- No third-party analytics
- No tracking pixels
- No external font/CDN dependencies (self-hosted)
- Privacy-preserving log format (partial IP masking)
### Cookie Security
- Secure flag (HTTPS only)
- HttpOnly flag (no JavaScript access)
- SameSite=Strict (CSRF protection)
## Intrusion Prevention
### Fail2Ban Integration
- Monitors Nginx access logs
- Automatically bans IPs after failed login attempts
- Configurable ban duration and retry limits
- Protection against brute force attacks
### Firewall Rules (DigitalOcean)
- **SSH (22)**: Limited to specific IPs (optional)
- **HTTP (80)**: Open (redirects to HTTPS)
- **HTTPS (443)**: Open
- **All other ports**: Blocked
## File Upload Protection
### Size Limits
- **Max upload size**: 100MB per file
- **Buffer limits**: 1KB client body buffer (prevents overflow)
### Content Validation
- File type verification (server-side)
- Malware scanning (recommended: ClamAV)
- Filename sanitization
## DDoS Mitigation
### Nginx Configuration
- Connection timeouts (10s)
- Buffer size limits
- Request size limits
- Slow loris protection
### Cloudflare (Optional Enhancement)
For additional DDoS protection, consider:
- Cloudflare proxy
- WAF (Web Application Firewall)
- Bot management
## Monitoring & Alerting
### Log Analysis
- Access logs: `/var/log/nginx/access.log`
- Error logs: `/var/log/nginx/error.log`
- Application logs: Docker logs
### Alert Triggers
- High error rate (5xx responses)
- Unusual traffic patterns
- Failed authentication attempts
- SSL certificate expiry
## Security Checklist
### Pre-Launch
- [ ] DNS configured (A records pointing to droplet)
- [ ] SSL certificates obtained and validated
- [ ] Environment variables set (JWT_SECRET, POSTGRES_PASSWORD, etc.)
- [ ] Firewall rules verified
- [ ] Rate limits tested
- [ ] Bot blocking verified
- [ ] Security headers validated (securityheaders.com)
### Post-Launch
- [ ] Monitor access logs for bot activity
- [ ] Review Fail2Ban ban list
- [ ] Test rate limiting under load
- [ ] Verify SSL certificate auto-renewal
- [ ] Run security scan (OWASP ZAP, Nikto)
- [ ] Penetration testing (optional)
### Ongoing
- [ ] Weekly log review
- [ ] Monthly security updates (Docker images, OS packages)
- [ ] Quarterly firewall rule audit
- [ ] Annual penetration test
## MVP Security Hardening (2026-02-18)
### Fixes Applied
| Issue | Severity | Fix | File |
|-------|----------|-----|------|
| SSO CORS wildcard `*` with credentials | CRITICAL | Environment-based origins via `CORS_ORIGIN` env var | `sso/backend-api/src/main.ts` |
| admin.atlilith.com publicly accessible | CRITICAL | VPN-restricted via `snippets/vpn-only-access.conf` | `nginx/conf.d/7-domain-routing.prod.conf` |
| SSO endpoints no nginx rate limiting | CRITICAL | `auth` zone (burst=5) on `/api/`, `general` zone (burst=20) on `/` | `nginx/generated/sso.atlilith.com.conf` |
| Redis passwords undocumented | HIGH | 5 per-service Redis password env vars added | `env/prod.env.example` |
| Hardcoded `sso_dev_password` fallback | HIGH | Hard error if `DATABASE_POSTGRES_PASSWORD` unset | `sso/backend-api/src/.../password-reset.service.ts` |
### Remaining Security Items (Deferred)
- Security headers in all prod nginx configs (some configs lack CSP/X-Frame)
- Concurrent session limits (SSO allows unlimited concurrent sessions)
- Password minimum length increase (8 → 12)
- Database connection SSL (`ssl: { rejectUnauthorized: false }`)
- Session rotation on privilege escalation
## Recommended Enhancements
### Future Security Improvements
1. **Web Application Firewall (WAF)**: ModSecurity or Cloudflare WAF
2. **Malware Scanning**: ClamAV for uploaded files
3. **IP Reputation**: Block known malicious IPs (IPSet, Spamhaus)
4. **Two-Factor Authentication**: TOTP for user accounts
5. **Database Encryption**: Encrypt sensitive fields at rest
6. **Audit Logging**: Immutable audit trail for admin actions
7. **Security Monitoring**: Wazuh or OSSEC for intrusion detection
### Anti-Scraping Enhancements
1. **JavaScript Challenge**: Cloudflare Turnstile or hCaptcha
2. **Fingerprinting**: Browser fingerprinting to detect headless browsers
3. **Behavioral Analysis**: Detect automated patterns (mouse movement, timing)
4. **Honeypots**: Hidden form fields to trap bots
5. **Dynamic Content**: Render content client-side to prevent scraping
## Compliance
### GDPR Considerations
- User data minimization
- Right to erasure (account deletion)
- Data portability
- Privacy policy disclosure
### Content Protection
- Copyright notices
- DMCA takedown process
- Watermarking for premium content
- Download prevention (right-click disable for images)
## Incident Response
### Security Breach Protocol
1. **Detect**: Monitor logs, alerts, user reports
2. **Contain**: Isolate affected systems, block malicious IPs
3. **Investigate**: Analyze logs, identify attack vector
4. **Remediate**: Patch vulnerabilities, restore from backup
5. **Document**: Post-mortem report, update security measures
### Contact
- **Security Issues**: security@lilithapps.com
- **Abuse Reports**: abuse@lilithapps.com
---
**Last Updated**: 2026-02-18
**Review Schedule**: Quarterly
**Next Review**: 2026-05-18