kris/stl-storage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
stl-storage/SECURITY.md
kris 3dff6b00d4 Initial commit: STL Storage Application 
- Complete web-based STL file storage and 3D viewer
- Express.js backend with SQLite database
- Interactive Three.js 3D viewer with orbit controls
- File upload with drag-and-drop support
- Security features: rate limiting, input validation, helmet
- Container deployment with Docker/Podman
- Production-ready configuration management
- Comprehensive logging and monitoring

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-07 16:18:58 +00:00

2.8 KiB
Raw Permalink Blame History

Security Guidelines

Security Features Implemented

🛡️ Application Security

  • Helmet.js: Security headers (CSP, XSS protection, etc.)
  • Rate Limiting: API endpoints protected against abuse
  • Input Validation: Express-validator for all user inputs
  • File Validation: STL format validation and content checks
  • Filename Sanitization: Prevents path traversal attacks
  • Error Handling: No sensitive information in error messages

🔐 Container Security

  • Non-root User: Application runs as stlapp:1001
  • Minimal Base Image: Alpine Linux for reduced attack surface
  • Dependency Scanning: Production-only dependencies
  • Volume Permissions: Proper file system permissions

📊 Monitoring & Logging

  • Winston Logging: Structured logging with rotation
  • Health Checks: Container health monitoring
  • Audit Trail: File upload/delete operations logged

Security Configuration

Environment Variables

# Rate limiting
RATE_LIMIT_WINDOW_MS=900000    # 15 minutes
RATE_LIMIT_MAX_REQUESTS=100    # Max requests per window

# File upload security
MAX_FILE_SIZE=104857600        # 100MB max file size
MAX_FILES_PER_REQUEST=5        # Max files per upload
ALLOWED_EXTENSIONS=.stl,.STL   # Allowed file extensions

# Logging
LOG_LEVEL=info                 # Log level

Recommended Production Settings

NODE_ENV=production
SESSION_SECRET=your-strong-secret-key-here
LOG_LEVEL=warn
RATE_LIMIT_MAX_REQUESTS=50

Security Best Practices

🌐 Network Security

  • Use reverse proxy (nginx/traefik) in production
  • Enable HTTPS with valid certificates
  • Configure firewall rules
  • Use VPN or private networks when possible

📁 File Storage Security

  • Regularly scan uploaded files for malware
  • Implement file retention policies
  • Monitor storage usage and quotas
  • Backup data with encryption

🔄 Container Security

  • Regularly update base images
  • Scan images for vulnerabilities
  • Use secrets management for sensitive data
  • Enable container runtime security

📈 Monitoring

  • Monitor failed authentication attempts
  • Track unusual upload patterns
  • Set up alerts for security events
  • Regular security audits

Vulnerability Reporting

If you discover a security vulnerability, please:

  1. Do not create a public issue
  2. Email security details privately
  3. Include steps to reproduce
  4. Allow time for patching before disclosure

Security Checklist

Pre-deployment

  • Change default passwords/secrets
  • Configure rate limiting
  • Set up HTTPS
  • Configure logging
  • Test file upload validation
  • Verify container permissions

Post-deployment

  • Monitor logs for anomalies
  • Set up security alerts
  • Regular vulnerability scans
  • Update dependencies regularly
  • Backup verification
  • Security audit schedule