2aa4be44f7
* Initial plan * docs: add comprehensive contributing guidelines and templates Co-authored-by: onnwee <211922112+onnwee@users.noreply.github.com> * docs: update README and SECURITY with better formatting and links Co-authored-by: onnwee <211922112+onnwee@users.noreply.github.com> * docs: finalize contributing guidelines and formatting Co-authored-by: onnwee <211922112+onnwee@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: onnwee <211922112+onnwee@users.noreply.github.com>
5.8 KiB
5.8 KiB
Security Policy
🔒 Security Measures
This document outlines the security measures implemented in Discord SpyWatcher to protect against common vulnerabilities and attacks.
HTTP Security Headers
We use Helmet.js to set secure HTTP headers:
- Content-Security-Policy (CSP): Prevents XSS attacks by controlling allowed content sources
- Strict-Transport-Security (HSTS): Enforces HTTPS connections (1 year max-age)
- X-Frame-Options: Prevents clickjacking attacks (set to DENY)
- X-Content-Type-Options: Prevents MIME-sniffing attacks
- X-XSS-Protection: Enables browser XSS filtering
- Referrer-Policy: Controls referrer information (strict-origin-when-cross-origin)
Rate Limiting
Multiple rate limiters protect against brute force and DoS attacks:
- Authentication endpoints: 5 requests per 15 minutes
- Refresh token endpoint: 10 requests per 15 minutes
- General API endpoints: 100 requests per 15 minutes
- Admin endpoints: 30 requests per 15 minutes
Input Validation
All user input is validated using Zod schemas:
- Request body, query parameters, and URL parameters are validated
- Discord IDs are validated to match the correct format (17-19 digits)
- Role changes are restricted to valid enum values
- Invalid requests return detailed error messages
Authentication & Authorization
- JWT tokens with secure secret keys (minimum 32 characters)
- Access tokens expire after 15 minutes
- Refresh tokens expire after 7 days
- Token rotation on refresh to prevent replay attacks
- Role-based access control (USER, ADMIN, MODERATOR, BANNED)
- Admin verification using environment-configured Discord IDs
CORS Protection
Strict CORS policy:
- Only whitelisted origins are allowed (configured via
CORS_ORIGINSenv var) - Credentials are required for cross-origin requests
- Preflight requests are properly handled
- Rejected origins are logged for monitoring
Request Size Limits
- Maximum request size: 10MB
- Prevents DoS attacks via large payloads
- Applied to both JSON and URL-encoded bodies
Database Security
- Prisma ORM with parameterized queries prevents SQL injection
- Connection string stored securely in environment variables
- Sensitive data (access tokens, refresh tokens) stored in database
- Database connections should use SSL/TLS in production
Secrets Management
- All secrets stored in environment variables (never in code)
.envfile excluded from version control- Separate
.env.examplewith secure defaults - Environment variable validation on startup
- Secret strength validation for JWT keys
Discord Bot Security
- Bot token validated for correct format (minimum 50 characters)
- Guild authorization checks before operations
- Permission scoping follows principle of least privilege
- Command validation prevents unauthorized actions
🚨 Reporting a Vulnerability
If you discover a security vulnerability, please report it responsibly:
- Preferred Method: Create a private security advisory on GitHub
- Alternative: Contact the maintainers directly through GitHub
Please do NOT create public issues for security vulnerabilities.
What to Include
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response Time
- Initial response: Within 48 hours
- Status update: Every 72 hours
- Resolution target: 7-14 days for critical issues
🛡️ Security Best Practices for Deployment
Environment Variables
- Never commit
.envfiles to version control - Use strong, randomly generated secrets for JWT keys:
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))" - Rotate secrets regularly (quarterly recommended)
- Use different secrets for each environment (dev, staging, production)
Database
- Use SSL/TLS for database connections in production
- Configure least-privilege database users
- Enable automatic backups with encryption
- Regularly audit database access logs
Network Security
- Use HTTPS in production (enforce with HSTS)
- Configure firewall rules to restrict access
- Use a reverse proxy (nginx, Cloudflare) for additional protection
- Enable DDoS protection
Monitoring & Logging
- Monitor for unusual activity patterns
- Set up alerts for authentication failures
- Log security events (rate limit hits, blocked CORS requests)
- Never log sensitive data (tokens, passwords, API keys)
Docker Security
- Use non-root users in containers
- Keep base images updated
- Scan images for vulnerabilities
- Use multi-stage builds to minimize attack surface
🔍 Security Audit Checklist
Regular security audits should include:
- Dependency vulnerability scan (
npm audit) - Code security analysis (CodeQL, ESLint security plugin)
- Secret scanning (TruffleHog)
- Access control review
- Rate limiting effectiveness
- Log review for security events
- Environment variable audit
- Database security review
📚 Security Resources
- OWASP Top 10
- Node.js Security Best Practices
- Discord Bot Security
- Helmet.js Documentation
- Express Security Best Practices
📝 Changelog
2025-10-20 - Initial Security Hardening
- Implemented Helmet.js security headers
- Added comprehensive rate limiting
- Implemented input validation with Zod
- Enhanced CORS configuration
- Added request size limits
- Removed hardcoded secrets
- Created security utilities
- Added security documentation