mpuchstein/tutortool
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
tutortool/backend/SECURITY.md
s0wlz (Matthias Puchstein) 8c7678d06a
All checks were successful
Release / release (push) Successful in 5m24s
Details
feat: implement dual-token JWT auth, Argon2id migration, and zero-warnings quality mandate
2026-05-03 00:41:50 +02:00

1.4 KiB
Raw Permalink Blame History

Security Policy

Vulnerability Reports

If you find a security vulnerability, please do not open a public issue. Instead, report it privately to the maintainers.

Audit Documentation

RUSTSEC-2023-0071 (h2)

We currently ignore RUSTSEC-2023-0071 in our cargo audit step. This vulnerability relates to the h2 crate (an HTTP/2 implementation) being susceptible to a Denial of Service (DoS) attack via rapid stream resets.

Risk Assessment:

  • TutorTool is typically deployed behind a reverse proxy or Kubernetes ingress controller (e.g., Nginx, Traefik, Istio).
  • Most modern ingress controllers mitigate this attack at the edge before it reaches the backend service.
  • We are tracking the upstream fixes in the Axum/Hyper ecosystem and will remove this ignore once the dependency tree is fully patched and verified.

Hardening Decisions

  • Password Hashing: Argon2id is the standard for all new passwords. Legacy bcrypt hashes are lazily migrated on successful login.
  • JWT Auth: Access tokens are short-lived (15 mins), and refresh tokens (7 days) are used for rotation. Both are stored in HttpOnly, SameSite=Strict cookies. The JWT contains minimal data (user ID and roles only); sensitive data like email is fetched from the database when needed.
  • Security Headers: CSP, X-Content-Type-Options, and X-Frame-Options are enforced by the backend middleware.
Reference in New Issue View Git Blame Copy Permalink