stl-storage/SECURITY.md

# Security Guidelines

## Security Features Implemented

### 🛡️ **Application Security**
- **Helmet.js**: Security headers (CSP, XSS protection, etc.)
- **Rate Limiting**: API endpoints protected against abuse
- **Input Validation**: Express-validator for all user inputs
- **File Validation**: STL format validation and content checks
- **Filename Sanitization**: Prevents path traversal attacks
- **Error Handling**: No sensitive information in error messages

### 🔐 **Container Security**
- **Non-root User**: Application runs as `stlapp:1001`
- **Minimal Base Image**: Alpine Linux for reduced attack surface
- **Dependency Scanning**: Production-only dependencies
- **Volume Permissions**: Proper file system permissions

### 📊 **Monitoring & Logging**
- **Winston Logging**: Structured logging with rotation
- **Health Checks**: Container health monitoring
- **Audit Trail**: File upload/delete operations logged

## Security Configuration

### Environment Variables
```bash
# Rate limiting
RATE_LIMIT_WINDOW_MS=900000    # 15 minutes
RATE_LIMIT_MAX_REQUESTS=100    # Max requests per window

# File upload security
MAX_FILE_SIZE=104857600        # 100MB max file size
MAX_FILES_PER_REQUEST=5        # Max files per upload
ALLOWED_EXTENSIONS=.stl,.STL   # Allowed file extensions

# Logging
LOG_LEVEL=info                 # Log level
```

### Recommended Production Settings
```bash
NODE_ENV=production
SESSION_SECRET=your-strong-secret-key-here
LOG_LEVEL=warn
RATE_LIMIT_MAX_REQUESTS=50
```

## Security Best Practices

### 🌐 **Network Security**
- Use reverse proxy (nginx/traefik) in production
- Enable HTTPS with valid certificates
- Configure firewall rules
- Use VPN or private networks when possible

### 📁 **File Storage Security**
- Regularly scan uploaded files for malware
- Implement file retention policies
- Monitor storage usage and quotas
- Backup data with encryption

### 🔄 **Container Security**
- Regularly update base images
- Scan images for vulnerabilities
- Use secrets management for sensitive data
- Enable container runtime security

### 📈 **Monitoring**
- Monitor failed authentication attempts
- Track unusual upload patterns
- Set up alerts for security events
- Regular security audits

## Vulnerability Reporting

If you discover a security vulnerability, please:
1. **Do not** create a public issue
2. Email security details privately
3. Include steps to reproduce
4. Allow time for patching before disclosure

## Security Checklist

### Pre-deployment
- [ ] Change default passwords/secrets
- [ ] Configure rate limiting
- [ ] Set up HTTPS
- [ ] Configure logging
- [ ] Test file upload validation
- [ ] Verify container permissions

### Post-deployment
- [ ] Monitor logs for anomalies
- [ ] Set up security alerts
- [ ] Regular vulnerability scans
- [ ] Update dependencies regularly
- [ ] Backup verification
- [ ] Security audit schedule
Initial commit: STL Storage Application - Complete web-based STL file storage and 3D viewer - Express.js backend with SQLite database - Interactive Three.js 3D viewer with orbit controls - File upload with drag-and-drop support - Security features: rate limiting, input validation, helmet - Container deployment with Docker/Podman - Production-ready configuration management - Comprehensive logging and monitoring 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-07 17:18:58 +01:00			`# Security Guidelines`

			`## Security Features Implemented`

			`### 🛡️ Application Security`
			`- Helmet.js: Security headers (CSP, XSS protection, etc.)`
			`- Rate Limiting: API endpoints protected against abuse`
			`- Input Validation: Express-validator for all user inputs`
			`- File Validation: STL format validation and content checks`
			`- Filename Sanitization: Prevents path traversal attacks`
			`- Error Handling: No sensitive information in error messages`

			`### 🔐 Container Security`
			- Non-root User: Application runs as `stlapp:1001`
			`- Minimal Base Image: Alpine Linux for reduced attack surface`
			`- Dependency Scanning: Production-only dependencies`
			`- Volume Permissions: Proper file system permissions`

			`### 📊 Monitoring & Logging`
			`- Winston Logging: Structured logging with rotation`
			`- Health Checks: Container health monitoring`
			`- Audit Trail: File upload/delete operations logged`

			`## Security Configuration`

			`### Environment Variables`
			```bash
			`# Rate limiting`
			`RATE_LIMIT_WINDOW_MS=900000 # 15 minutes`
			`RATE_LIMIT_MAX_REQUESTS=100 # Max requests per window`

			`# File upload security`
			`MAX_FILE_SIZE=104857600 # 100MB max file size`
			`MAX_FILES_PER_REQUEST=5 # Max files per upload`
			`ALLOWED_EXTENSIONS=.stl,.STL # Allowed file extensions`

			`# Logging`
			`LOG_LEVEL=info # Log level`
			```

			`### Recommended Production Settings`
			```bash
			`NODE_ENV=production`
			`SESSION_SECRET=your-strong-secret-key-here`
			`LOG_LEVEL=warn`
			`RATE_LIMIT_MAX_REQUESTS=50`
			```

			`## Security Best Practices`

			`### 🌐 Network Security`
			`- Use reverse proxy (nginx/traefik) in production`
			`- Enable HTTPS with valid certificates`
			`- Configure firewall rules`
			`- Use VPN or private networks when possible`

			`### 📁 File Storage Security`
			`- Regularly scan uploaded files for malware`
			`- Implement file retention policies`
			`- Monitor storage usage and quotas`
			`- Backup data with encryption`

			`### 🔄 Container Security`
			`- Regularly update base images`
			`- Scan images for vulnerabilities`
			`- Use secrets management for sensitive data`
			`- Enable container runtime security`

			`### 📈 Monitoring`
			`- Monitor failed authentication attempts`
			`- Track unusual upload patterns`
			`- Set up alerts for security events`
			`- Regular security audits`

			`## Vulnerability Reporting`

			`If you discover a security vulnerability, please:`
			`1. Do not create a public issue`
			`2. Email security details privately`
			`3. Include steps to reproduce`
			`4. Allow time for patching before disclosure`

			`## Security Checklist`

			`### Pre-deployment`
			`- [ ] Change default passwords/secrets`
			`- [ ] Configure rate limiting`
			`- [ ] Set up HTTPS`
			`- [ ] Configure logging`
			`- [ ] Test file upload validation`
			`- [ ] Verify container permissions`

			`### Post-deployment`
			`- [ ] Monitor logs for anomalies`
			`- [ ] Set up security alerts`
			`- [ ] Regular vulnerability scans`
			`- [ ] Update dependencies regularly`
			`- [ ] Backup verification`
			`- [ ] Security audit schedule`