s0wlz (Matthias Puchstein)
8c7678d06a
All checks were successful
Release / release (push) Successful in 5m24s
23 lines
1.4 KiB
Markdown
23 lines
1.4 KiB
Markdown
# Security Policy
|
|
|
|
## Vulnerability Reports
|
|
|
|
If you find a security vulnerability, please do not open a public issue. Instead, report it privately to the maintainers.
|
|
|
|
## Audit Documentation
|
|
|
|
### RUSTSEC-2023-0071 (h2)
|
|
|
|
We currently ignore `RUSTSEC-2023-0071` in our `cargo audit` step. This vulnerability relates to the `h2` crate (an HTTP/2 implementation) being susceptible to a Denial of Service (DoS) attack via rapid stream resets.
|
|
|
|
**Risk Assessment:**
|
|
- TutorTool is typically deployed behind a reverse proxy or Kubernetes ingress controller (e.g., Nginx, Traefik, Istio).
|
|
- Most modern ingress controllers mitigate this attack at the edge before it reaches the backend service.
|
|
- We are tracking the upstream fixes in the Axum/Hyper ecosystem and will remove this ignore once the dependency tree is fully patched and verified.
|
|
|
|
## Hardening Decisions
|
|
|
|
- **Password Hashing:** Argon2id is the standard for all new passwords. Legacy bcrypt hashes are lazily migrated on successful login.
|
|
- **JWT Auth:** Access tokens are short-lived (15 mins), and refresh tokens (7 days) are used for rotation. Both are stored in `HttpOnly`, `SameSite=Strict` cookies. The JWT contains minimal data (user ID and roles only); sensitive data like email is fetched from the database when needed.
|
|
- **Security Headers:** CSP, X-Content-Type-Options, and X-Frame-Options are enforced by the backend middleware.
|