mifi-holdings/mail-autoconfig
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
850fc4ec1ebd5c12deafbf10ce2f0e63575afea7
mail-autoconfig/docs/SECURITY.md

3.5 KiB
Raw Blame History

Security Hardening Summary

Critical Vulnerabilities Fixed

1. Container Security

Issue: Container running as root user Fix:

  • Created non-root user appuser in Dockerfile
  • Container now runs with limited privileges
  • Added no-new-privileges:true security option

2. Host Header Injection

Issue: Unvalidated request.host usage Fix:

  • Added whitelist of allowed hosts
  • Implemented @validate_host decorator
  • All routes now validate Host header before processing

3. Input Sanitization

Issue: Unvalidated domain input in templates Fix:

  • Added sanitize_domain() function with regex validation
  • Domain length and format validation
  • Prevents injection attacks via domain parameter

4. Network Security

Issue: Binding to all interfaces (0.0.0.0) Fix:

  • Application now binds to localhost only (127.0.0.1:8080)
  • External access through Traefik reverse proxy only
  • Updated all Traefik labels to use port 8080

5. Security Headers

Issue: Missing security headers Fix:

  • Added comprehensive security headers middleware
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • X-XSS-Protection: 1; mode=block
  • Content-Security-Policy
  • Referrer-Policy

6. Rate Limiting

Issue: No rate limiting or request validation Fix:

  • Implemented rate limiting per IP address
  • Different limits for different endpoints:
    • Main page: 50 requests/hour
    • Health check: 10 requests/minute
    • Config endpoints: 20 requests/hour
  • Request size validation (512B-2KB depending on endpoint)

7. Container Hardening

Issue: Overprivileged container Fix:

  • Read-only filesystem with tmpfs for /tmp
  • Resource limits (256MB RAM, 0.5 CPU)
  • Security options preventing privilege escalation

Security Features Added

Input Validation

  • Host header validation against whitelist
  • Domain sanitization with regex patterns
  • Request size limits per endpoint
  • Content-Type validation

Rate Limiting

  • Per-IP rate limiting with sliding window
  • Configurable limits per endpoint type
  • Automatic cleanup of old request records

Network Security

  • Localhost-only binding
  • Reverse proxy required for external access
  • Updated health checks for new port

Container Security

  • Non-root user execution
  • Read-only filesystem
  • Resource constraints
  • No new privileges policy

Deployment Notes

  1. Rebuild the Docker image after these changes
  2. Update docker-compose.yml with the new configuration
  3. Test all endpoints to ensure functionality
  4. Monitor logs for any security-related errors
  5. Consider adding Redis for production rate limiting

Monitoring Recommendations

  • Monitor for 403 (Forbidden host) responses
  • Watch for 429 (Rate limit exceeded) responses
  • Log any invalid domain attempts
  • Monitor resource usage within limits

Security Audit (2025-02-01)

A full security audit was performed; findings and remediations are documented in SECURITY-AUDIT.md. Critical and high-priority items have been addressed in code and deployment. Important: Ensure your reverse proxy (e.g. Traefik) overwrites X-Forwarded-For with the real client IP so rate limiting and logging use the correct client.

Additional Security Considerations

For production deployment, consider:

  • Using Redis for distributed rate limiting
  • Implementing proper logging and monitoring
  • Adding WAF (Web Application Firewall) rules
  • Regular security audits and dependency updates
  • Implementing request signing for sensitive endpoints
Reference in New Issue View Git Blame Copy Permalink