ulsklyc
42 lines
1.4 KiB
Markdown
42 lines
1.4 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you discover a security vulnerability in Oikos, please report it responsibly. **Do not open a public issue.**
|
|
|
|
Email: **ulsklyc@gmail.com**
|
|
|
|
Include:
|
|
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Suggested fix (if you have one)
|
|
|
|
You should receive an acknowledgment within 48 hours. Fixes for confirmed vulnerabilities will be released as soon as possible.
|
|
|
|
## Scope
|
|
|
|
Oikos is designed for self-hosted deployment on a private network behind a reverse proxy with SSL. The security model assumes:
|
|
|
|
- The server is not directly exposed to the public internet without Nginx + TLS
|
|
- The admin controls all user accounts (no public registration)
|
|
- The host machine itself is reasonably secured
|
|
|
|
Vulnerabilities that require physical access to the host or root on the server are generally out of scope.
|
|
|
|
## Security Features
|
|
|
|
- Session-based auth with `httpOnly`, `SameSite=Strict`, `Secure` cookies
|
|
- CSRF protection via Double Submit Cookie on all state-changing requests
|
|
- Passwords hashed with bcrypt (cost factor 12)
|
|
- Login rate limiting (5 attempts/min per IP)
|
|
- API rate limiting (300 requests/min per IP)
|
|
- Content Security Policy via Helmet (`self`-only)
|
|
- Optional SQLCipher AES-256 database encryption
|
|
- No API endpoint accessible without session auth (except login)
|
|
|
|
## Supported Versions
|
|
|
|
Only the latest version on `main` receives security updates. There are no LTS branches.
|