Add files via upload
This commit is contained in:
ulsklyc
+41
@@ -0,0 +1,41 @@
|
||||
# Security Policy
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you discover a security vulnerability in Oikos, please report it responsibly. **Do not open a public issue.**
|
||||
|
||||
Email: **ulsklyc@gmail.com**
|
||||
|
||||
Include:
|
||||
|
||||
- Description of the vulnerability
|
||||
- Steps to reproduce
|
||||
- Potential impact
|
||||
- Suggested fix (if you have one)
|
||||
|
||||
You should receive an acknowledgment within 48 hours. Fixes for confirmed vulnerabilities will be released as soon as possible.
|
||||
|
||||
## Scope
|
||||
|
||||
Oikos is designed for self-hosted deployment on a private network behind a reverse proxy with SSL. The security model assumes:
|
||||
|
||||
- The server is not directly exposed to the public internet without Nginx + TLS
|
||||
- The admin controls all user accounts (no public registration)
|
||||
- The host machine itself is reasonably secured
|
||||
|
||||
Vulnerabilities that require physical access to the host or root on the server are generally out of scope.
|
||||
|
||||
## Security Features
|
||||
|
||||
- Session-based auth with `httpOnly`, `SameSite=Strict`, `Secure` cookies
|
||||
- CSRF protection via Double Submit Cookie on all state-changing requests
|
||||
- Passwords hashed with bcrypt (cost factor 12)
|
||||
- Login rate limiting (5 attempts/min per IP)
|
||||
- API rate limiting (300 requests/min per IP)
|
||||
- Content Security Policy via Helmet (`self`-only)
|
||||
- Optional SQLCipher AES-256 database encryption
|
||||
- No API endpoint accessible without session auth (except login)
|
||||
|
||||
## Supported Versions
|
||||
|
||||
Only the latest version on `main` receives security updates. There are no LTS branches.
|
||||
Reference in New Issue
Block a user