openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cd963540cfa0dda7ef4c1380d54a71fe6583251e
oikos/SECURITY.md
T
Ulas 6e0eda8ba4 fix(security): address multiple security findings from audit 
- Fix SQLCipher PRAGMA key interpolation (hex-encode key to prevent crash on single quotes)
- Enforce min password length (8 chars) on admin user creation
- Add length bounds on username/display_name and login inputs
- Invalidate other sessions on password change
- Multi-stage Docker build (exclude build tools from runtime)
- Exclude docs/ from Docker image
- Consolidate dotenv.config() to single entry point
- Document flat family authorization model in SECURITY.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-03 09:11:17 +02:00

2.1 KiB
Raw Blame History

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in Oikos, please report it responsibly. Do not open a public issue.

Instead, use GitHub Private Vulnerability Reporting to submit your report. This creates a private advisory visible only to you and the maintainers.

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if you have one)

You should receive an acknowledgment within 48 hours. Fixes for confirmed vulnerabilities will be released as soon as possible.

Scope

Oikos is designed for self-hosted deployment on a private network behind a reverse proxy with SSL. The security model assumes:

  • The server is not directly exposed to the public internet without Nginx + TLS
  • The admin controls all user accounts (no public registration)
  • The host machine itself is reasonably secured

Vulnerabilities that require physical access to the host or root on the server are generally out of scope.

Security Features

  • Session-based auth with httpOnly, SameSite=Strict, Secure cookies
  • CSRF protection via Double Submit Cookie on all state-changing requests
  • Passwords hashed with bcrypt (cost factor 12)
  • Login rate limiting (5 attempts/min per IP)
  • API rate limiting (300 requests/min per IP)
  • Content Security Policy via Helmet (self-only)
  • Optional SQLCipher AES-256 database encryption
  • No API endpoint accessible without session auth (except login)

Authorization Model

Oikos uses a flat family authorization model:

  • Admin can create, edit, and delete all user accounts and all shared data.
  • Member can read and write all shared data (tasks, shopping lists, meals, calendar events, notes, contacts, budget entries) but cannot manage user accounts.

There is no per-user data isolation — all family members see and can edit all data. This is intentional: Oikos is a shared family planner, not a multi-tenant application.

Supported Versions

Only the latest version on main receives security updates. There are no LTS branches.

Reference in New Issue View Git Blame Copy Permalink