More hardening and migration from Drone to Woodpecker

docs/SECURITY.md

@@ -0,0 +1,110 @@
+# Security Hardening Summary
+
+## Critical Vulnerabilities Fixed
+
+### 1. ✅ Container Security
+**Issue**: Container running as root user
+**Fix**: 
+- Created non-root user `appuser` in Dockerfile
+- Container now runs with limited privileges
+- Added `no-new-privileges:true` security option
+
+### 2. ✅ Host Header Injection
+**Issue**: Unvalidated `request.host` usage
+**Fix**:
+- Added whitelist of allowed hosts
+- Implemented `@validate_host` decorator
+- All routes now validate Host header before processing
+
+### 3. ✅ Input Sanitization
+**Issue**: Unvalidated domain input in templates
+**Fix**:
+- Added `sanitize_domain()` function with regex validation
+- Domain length and format validation
+- Prevents injection attacks via domain parameter
+
+### 4. ✅ Network Security
+**Issue**: Binding to all interfaces (0.0.0.0)
+**Fix**:
+- Application now binds to localhost only (127.0.0.1:8080)
+- External access through Traefik reverse proxy only
+- Updated all Traefik labels to use port 8080
+
+### 5. ✅ Security Headers
+**Issue**: Missing security headers
+**Fix**:
+- Added comprehensive security headers middleware
+- X-Content-Type-Options: nosniff
+- X-Frame-Options: DENY
+- X-XSS-Protection: 1; mode=block
+- Content-Security-Policy
+- Referrer-Policy
+
+### 6. ✅ Rate Limiting
+**Issue**: No rate limiting or request validation
+**Fix**:
+- Implemented rate limiting per IP address
+- Different limits for different endpoints:
+  - Main page: 50 requests/hour
+  - Health check: 10 requests/minute
+  - Config endpoints: 20 requests/hour
+- Request size validation (512B-2KB depending on endpoint)
+
+### 7. ✅ Container Hardening
+**Issue**: Overprivileged container
+**Fix**:
+- Read-only filesystem with tmpfs for /tmp
+- Resource limits (256MB RAM, 0.5 CPU)
+- Security options preventing privilege escalation
+
+## Security Features Added
+
+### Input Validation
+- Host header validation against whitelist
+- Domain sanitization with regex patterns
+- Request size limits per endpoint
+- Content-Type validation
+
+### Rate Limiting
+- Per-IP rate limiting with sliding window
+- Configurable limits per endpoint type
+- Automatic cleanup of old request records
+
+### Network Security
+- Localhost-only binding
+- Reverse proxy required for external access
+- Updated health checks for new port
+
+### Container Security
+- Non-root user execution
+- Read-only filesystem
+- Resource constraints
+- No new privileges policy
+
+## Deployment Notes
+
+1. **Rebuild the Docker image** after these changes
+2. **Update docker-compose.yml** with the new configuration
+3. **Test all endpoints** to ensure functionality
+4. **Monitor logs** for any security-related errors
+5. **Consider adding Redis** for production rate limiting
+
+## Monitoring Recommendations
+
+- Monitor for 403 (Forbidden host) responses
+- Watch for 429 (Rate limit exceeded) responses
+- Log any invalid domain attempts
+- Monitor resource usage within limits
+
+## Security Audit (2025-02-01)
+
+A full security audit was performed; findings and remediations are documented in **SECURITY-AUDIT.md**. Critical and high-priority items have been addressed in code and deployment. **Important:** Ensure your reverse proxy (e.g. Traefik) overwrites `X-Forwarded-For` with the real client IP so rate limiting and logging use the correct client.
+
+## Additional Security Considerations
+
+For production deployment, consider:
+- Using Redis for distributed rate limiting
+- Implementing proper logging and monitoring
+- Adding WAF (Web Application Firewall) rules
+- Regular security audits and dependency updates
+- Implementing request signing for sensitive endpoints