tony/WHOOSH
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

Updated project files and configuration
Some checks failed
WHOOSH CI / speclint (push) Has been cancelled
Details
WHOOSH CI / contracts (push) Has been cancelled
Details

Browse Source 
- Added/updated .gitignore file
- Fixed remote URL configuration
- Updated project structure and files

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Claude Code
2025-09-17 22:51:50 +10:00
parent e5555ae277
commit afccc94998
19 changed files with 3376 additions and 2352 deletions
Download Patch File Download Diff File Expand all files Collapse all files

332
SECURITY.md Normal file
View File

@@ -0,0 +1,332 @@
# Security Policy
## Overview
WHOOSH implements enterprise-grade security controls to protect against common web application vulnerabilities and ensure safe operation in production environments. This document outlines our security implementation, best practices, and procedures.
## 🔐 Security Implementation
### Authentication & Authorization
**JWT Authentication**
- Role-based access control (admin/user roles)
- Configurable token expiration (default: 24 hours)
- Support for file-based and environment-based secrets
- Secure token validation with comprehensive error handling
**Service Token Authentication**
- Internal service-to-service authentication
- Scoped permissions for automated systems
- Support for multiple service tokens
- Configurable token management
**Protected Endpoints**
All administrative endpoints require proper authentication:
- Council management (`/api/v1/councils/*/artifacts`)
- Repository operations (`/api/v1/repositories/*`)
- Team management (`/api/v1/teams/*`)
- Task ingestion (`/api/v1/tasks/ingest`)
- Project operations (`/api/v1/projects/*`)
### Input Validation & Sanitization
**Comprehensive Input Validation**
- Regex-based validation for all input types
- Request body size limits (1MB default, 10MB for webhooks)
- UUID validation for all identifiers
- Safe character restrictions for names and titles
**Validation Rules**
```go
Project Names: ^[a-zA-Z0-9\s\-_]+$ (max 100 chars)
Git URLs: Proper URL format validation
Task Titles: Safe characters only (max 200 chars)
Agent IDs: ^[a-zA-Z0-9\-]+$ (max 50 chars)
UUIDs: RFC 4122 compliant format
```
**Injection Prevention**
- SQL injection prevention through parameterized queries
- XSS prevention through input sanitization
- Command injection prevention through input validation
- Path traversal prevention through path sanitization
### CORS Configuration
**Production-Safe CORS**
- No wildcard origins in production
- Configurable allowed origins via environment variables
- Support for file-based origin configuration
- Restricted allowed headers and methods
**Configuration Example**
```bash
# Production CORS configuration
WHOOSH_CORS_ALLOWED_ORIGINS=https://app.company.com,https://admin.company.com
WHOOSH_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
WHOOSH_CORS_ALLOWED_HEADERS=Authorization,Content-Type,X-Requested-With
WHOOSH_CORS_ALLOW_CREDENTIALS=true
```
### Rate Limiting
**Per-IP Rate Limiting**
- Default: 100 requests per minute per IP address
- Configurable limits and time windows
- Automatic cleanup to prevent memory leaks
- Support for proxy headers (X-Forwarded-For, X-Real-IP)
**Configuration**
```bash
WHOOSH_RATE_LIMIT_ENABLED=true
WHOOSH_RATE_LIMIT_REQUESTS=100 # Requests per window
WHOOSH_RATE_LIMIT_WINDOW=60s # Rate limiting window
WHOOSH_RATE_LIMIT_CLEANUP_INTERVAL=300s # Cleanup frequency
```
### Security Headers
**HTTP Security Headers**
```
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
```
### Webhook Security
**Gitea Webhook Protection**
- HMAC SHA-256 signature validation
- Timing-safe signature comparison using `hmac.Equal`
- Request body size limits (10MB maximum)
- Content-Type header validation
- Comprehensive attack attempt logging
**Configuration**
```bash
WHOOSH_WEBHOOK_SECRET_FILE=/run/secrets/webhook_secret
WHOOSH_MAX_WEBHOOK_SIZE=10485760 # 10MB
```
## 🛡️ Security Best Practices
### Production Deployment
**Secret Management**
```bash
# Use file-based secrets in production
WHOOSH_JWT_SECRET_FILE=/run/secrets/jwt_secret
WHOOSH_GITEA_TOKEN_FILE=/run/secrets/gitea_token
WHOOSH_WEBHOOK_SECRET_FILE=/run/secrets/webhook_secret
# Docker Swarm secrets example
echo "strong-jwt-secret-32-chars-min" | docker secret create whoosh_jwt_secret -
```
**Database Security**
```bash
# Use SSL/TLS for database connections
WHOOSH_DATABASE_URL=postgres://user:pass@host/db?sslmode=require
# Connection pool limits
WHOOSH_DB_MAX_OPEN_CONNS=25
WHOOSH_DB_MAX_IDLE_CONNS=10
WHOOSH_DB_CONN_MAX_LIFETIME=300s
```
**TLS Configuration**
```bash
# Enable TLS in production
WHOOSH_TLS_ENABLED=true
WHOOSH_TLS_CERT_FILE=/path/to/cert.pem
WHOOSH_TLS_KEY_FILE=/path/to/key.pem
WHOOSH_TLS_MIN_VERSION=1.2
```
### Security Monitoring
**Logging & Monitoring**
- Structured logging with security event correlation
- Failed authentication attempt monitoring
- Rate limit violation alerting
- Administrative action audit logging
**Health & Security Endpoints**
- `/health` - Basic health check (unauthenticated)
- `/admin/health/details` - Detailed system status (authenticated)
- `/metrics` - Prometheus metrics (unauthenticated)
### Access Control
**Role-Based Permissions**
- **Admin Role**: Full system access, administrative operations
- **User Role**: Read-only access to public endpoints
- **Service Tokens**: Scoped access for internal services
**Endpoint Protection Matrix**
| Endpoint Category | Authentication | Authorization |
|-------------------|---------------|---------------|
| Public Health | None | None |
| Public APIs | JWT | User/Admin |
| Admin Operations | JWT | Admin Only |
| Internal Services | Service Token | Scoped Access |
| Webhooks | HMAC | Signature |
## 🔍 Security Testing
### Vulnerability Assessment
**Regular Security Audits**
- OWASP Top 10 compliance verification
- Dependency vulnerability scanning
- Static code analysis with security focus
- Penetration testing of critical endpoints
**Automated Security Testing**
```bash
# Static security analysis
go run honnef.co/go/tools/cmd/staticcheck ./...
# Dependency vulnerability scanning
go mod tidy && go list -json -deps | audit
# Security linting
golangci-lint run --enable gosec
```
### Security Validation
**Authentication Testing**
- Token validation bypass attempts
- Role escalation prevention verification
- Session management security testing
- Service token scope validation
**Input Validation Testing**
- SQL injection attempt testing
- XSS payload validation testing
- Command injection prevention testing
- File upload security testing (if applicable)
## 📊 Compliance & Standards
### Industry Standards Compliance
**OWASP Top 10 2021 Protection**
-**A01: Broken Access Control** - Comprehensive authentication/authorization
-**A02: Cryptographic Failures** - Strong JWT signing, HTTPS enforcement
-**A03: Injection** - Parameterized queries, input validation
-**A04: Insecure Design** - Security-by-design architecture
-**A05: Security Misconfiguration** - Secure defaults, configuration validation
-**A06: Vulnerable Components** - Regular dependency updates
-**A07: Identity & Authentication** - Robust authentication framework
-**A08: Software & Data Integrity** - Webhook signature validation
-**A09: Logging & Monitoring** - Comprehensive security logging
-**A10: Server-Side Request Forgery** - Input validation prevents SSRF
**Enterprise Compliance**
- **SOC 2 Type II**: Access controls, monitoring, data protection
- **ISO 27001**: Information security management system
- **NIST Cybersecurity Framework**: Identify, Protect, Detect functions
## 🚨 Incident Response
### Security Incident Handling
**Immediate Response**
1. **Detection**: Monitor logs for security events
2. **Assessment**: Evaluate impact and scope
3. **Containment**: Implement immediate protective measures
4. **Investigation**: Analyze attack vectors and impact
5. **Recovery**: Restore secure operations
6. **Learning**: Update security measures based on findings
**Contact Information**
For security issues, please follow our responsible disclosure policy:
1. Do not disclose security issues publicly
2. Contact the development team privately
3. Provide detailed reproduction steps
4. Allow reasonable time for fix development
## 🔧 Configuration Reference
### Security Environment Variables
```bash
# Authentication
WHOOSH_JWT_SECRET=your-strong-secret-here
WHOOSH_JWT_SECRET_FILE=/run/secrets/jwt_secret
WHOOSH_JWT_EXPIRATION=24h
WHOOSH_JWT_ISSUER=whoosh
WHOOSH_JWT_ALGORITHM=HS256
# Service Tokens
WHOOSH_SERVICE_TOKEN=your-service-token
WHOOSH_SERVICE_TOKEN_FILE=/run/secrets/service_token
WHOOSH_SERVICE_TOKEN_HEADER=X-Service-Token
# CORS Security
WHOOSH_CORS_ALLOWED_ORIGINS=https://app.company.com
WHOOSH_CORS_ALLOWED_ORIGINS_FILE=/run/secrets/allowed_origins
WHOOSH_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
WHOOSH_CORS_ALLOWED_HEADERS=Authorization,Content-Type
WHOOSH_CORS_ALLOW_CREDENTIALS=true
# Rate Limiting
WHOOSH_RATE_LIMIT_ENABLED=true
WHOOSH_RATE_LIMIT_REQUESTS=100
WHOOSH_RATE_LIMIT_WINDOW=60s
WHOOSH_RATE_LIMIT_CLEANUP_INTERVAL=300s
# Input Validation
WHOOSH_MAX_REQUEST_SIZE=1048576 # 1MB
WHOOSH_MAX_WEBHOOK_SIZE=10485760 # 10MB
WHOOSH_VALIDATION_STRICT=true
# TLS Configuration
WHOOSH_TLS_ENABLED=false # Set to true in production
WHOOSH_TLS_CERT_FILE=/path/to/cert.pem
WHOOSH_TLS_KEY_FILE=/path/to/key.pem
WHOOSH_TLS_MIN_VERSION=1.2
```
### Production Security Checklist
**Deployment Security**
- [ ] All secrets configured via files or secure environment variables
- [ ] CORS origins restricted to specific domains (no wildcards)
- [ ] TLS enabled with valid certificates
- [ ] Rate limiting configured and enabled
- [ ] Input validation strict mode enabled
- [ ] Security headers properly configured
- [ ] Database connections using SSL/TLS
- [ ] Webhook secrets properly configured
- [ ] Monitoring and alerting configured
- [ ] Security audit logging enabled
**Operational Security**
- [ ] Regular security updates applied
- [ ] Access logs monitored
- [ ] Failed authentication attempts tracked
- [ ] Rate limit violations monitored
- [ ] Administrative actions audited
- [ ] Backup security validated
- [ ] Incident response procedures documented
- [ ] Security training completed for operators
## 📚 Related Documentation
- **[Security Audit Report](SECURITY_AUDIT_REPORT.md)** - Detailed security audit findings and remediation
- **[Configuration Guide](docs/CONFIGURATION.md)** - Complete configuration documentation
- **[API Specification](docs/API_SPECIFICATION.md)** - API security details and authentication
- **[Deployment Guide](docs/DEPLOYMENT.md)** - Secure production deployment procedures
---
**Security Status**: **Production Ready**
**Last Security Audit**: 2025-09-12
**Compliance Level**: Enterprise-Grade
For security questions or to report security vulnerabilities, please refer to our incident response procedures above.