kris/stl-storage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
stl-storage/SECURITY.md
kris 3dff6b00d4 Initial commit: STL Storage Application 
- Complete web-based STL file storage and 3D viewer
- Express.js backend with SQLite database
- Interactive Three.js 3D viewer with orbit controls
- File upload with drag-and-drop support
- Security features: rate limiting, input validation, helmet
- Container deployment with Docker/Podman
- Production-ready configuration management
- Comprehensive logging and monitoring

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-07 16:18:58 +00:00

99 lines
2.8 KiB
Markdown
Raw Permalink Blame History

# Security Guidelines
## Security Features Implemented
### 🛡️ **Application Security**
- **Helmet.js**: Security headers (CSP, XSS protection, etc.)
- **Rate Limiting**: API endpoints protected against abuse
- **Input Validation**: Express-validator for all user inputs
- **File Validation**: STL format validation and content checks
- **Filename Sanitization**: Prevents path traversal attacks
- **Error Handling**: No sensitive information in error messages
### 🔐 **Container Security**
- **Non-root User**: Application runs as `stlapp:1001`
- **Minimal Base Image**: Alpine Linux for reduced attack surface
- **Dependency Scanning**: Production-only dependencies
- **Volume Permissions**: Proper file system permissions
### 📊 **Monitoring & Logging**
- **Winston Logging**: Structured logging with rotation
- **Health Checks**: Container health monitoring
- **Audit Trail**: File upload/delete operations logged
## Security Configuration
### Environment Variables
```bash
# Rate limiting
RATE_LIMIT_WINDOW_MS=900000 # 15 minutes
RATE_LIMIT_MAX_REQUESTS=100 # Max requests per window
# File upload security
MAX_FILE_SIZE=104857600 # 100MB max file size
MAX_FILES_PER_REQUEST=5 # Max files per upload
ALLOWED_EXTENSIONS=.stl,.STL # Allowed file extensions
# Logging
LOG_LEVEL=info # Log level
```
### Recommended Production Settings
```bash
NODE_ENV=production
SESSION_SECRET=your-strong-secret-key-here
LOG_LEVEL=warn
RATE_LIMIT_MAX_REQUESTS=50
```
## Security Best Practices
### 🌐 **Network Security**
- Use reverse proxy (nginx/traefik) in production
- Enable HTTPS with valid certificates
- Configure firewall rules
- Use VPN or private networks when possible
### 📁 **File Storage Security**
- Regularly scan uploaded files for malware
- Implement file retention policies
- Monitor storage usage and quotas
- Backup data with encryption
### 🔄 **Container Security**
- Regularly update base images
- Scan images for vulnerabilities
- Use secrets management for sensitive data
- Enable container runtime security
### 📈 **Monitoring**
- Monitor failed authentication attempts
- Track unusual upload patterns
- Set up alerts for security events
- Regular security audits
## Vulnerability Reporting
If you discover a security vulnerability, please:
1. **Do not** create a public issue
2. Email security details privately
3. Include steps to reproduce
4. Allow time for patching before disclosure
## Security Checklist
### Pre-deployment
- [ ] Change default passwords/secrets
- [ ] Configure rate limiting
- [ ] Set up HTTPS
- [ ] Configure logging
- [ ] Test file upload validation
- [ ] Verify container permissions
### Post-deployment
- [ ] Monitor logs for anomalies
- [ ] Set up security alerts
- [ ] Regular vulnerability scans
- [ ] Update dependencies regularly
- [ ] Backup verification
- [ ] Security audit schedule
Reference in New Issue View Git Blame Copy Permalink