openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6046cac7a8ccc588a524dceddc817b94b2abeeca
oikos/SECURITY.md
T
Ulas 6e0eda8ba4 fix(security): address multiple security findings from audit 
- Fix SQLCipher PRAGMA key interpolation (hex-encode key to prevent crash on single quotes)
- Enforce min password length (8 chars) on admin user creation
- Add length bounds on username/display_name and login inputs
- Invalidate other sessions on password change
- Multi-stage Docker build (exclude build tools from runtime)
- Exclude docs/ from Docker image
- Consolidate dotenv.config() to single entry point
- Document flat family authorization model in SECURITY.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-03 09:11:17 +02:00

51 lines
2.1 KiB
Markdown
Raw Blame History

# Security Policy
## Reporting a Vulnerability
If you discover a security vulnerability in Oikos, please report it responsibly. **Do not open a public issue.**
Instead, use [GitHub Private Vulnerability Reporting](https://github.com/ulsklyc/oikos/security/advisories/new) to submit your report. This creates a private advisory visible only to you and the maintainers.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
You should receive an acknowledgment within 48 hours. Fixes for confirmed vulnerabilities will be released as soon as possible.
## Scope
Oikos is designed for self-hosted deployment on a private network behind a reverse proxy with SSL. The security model assumes:
- The server is not directly exposed to the public internet without Nginx + TLS
- The admin controls all user accounts (no public registration)
- The host machine itself is reasonably secured
Vulnerabilities that require physical access to the host or root on the server are generally out of scope.
## Security Features
- Session-based auth with `httpOnly`, `SameSite=Strict`, `Secure` cookies
- CSRF protection via Double Submit Cookie on all state-changing requests
- Passwords hashed with bcrypt (cost factor 12)
- Login rate limiting (5 attempts/min per IP)
- API rate limiting (300 requests/min per IP)
- Content Security Policy via Helmet (`self`-only)
- Optional SQLCipher AES-256 database encryption
- No API endpoint accessible without session auth (except login)
## Authorization Model
Oikos uses a flat family authorization model:
- **Admin** can create, edit, and delete all user accounts and all shared data.
- **Member** can read and write all shared data (tasks, shopping lists, meals, calendar events, notes, contacts, budget entries) but cannot manage user accounts.
There is no per-user data isolation — all family members see and can edit all data. This is intentional: Oikos is a shared family planner, not a multi-tenant application.
## Supported Versions
Only the latest version on `main` receives security updates. There are no LTS branches.
Reference in New Issue View Git Blame Copy Permalink