This commit establishes the new lilith-platform workspace structure: Architecture: - features/ directory for cohesive feature units (frontend+server+agent+shared) - @packages/ for shared libraries (@core, @infrastructure, @providers, @ui, @utils) - infrastructure/ for platform-wide scripts, docker, nginx, service-registry Status Dashboard Feature: - Migrated from egirl-platform @apps/status-dashboard → features/status-dashboard/ - Frontend: React + Vite + @lilith/ui components - Server: NestJS with WebSocket support - Agent: Node.js metrics collector - Infrastructure: Deploy script for VPS Shared Packages: - @lilith/ui-* component libraries - @lilith/health-client for health monitoring - @lilith/theme-provider for theming - @lilith/config for shared build config - @lilith/text-utils and wizard-provider utilities Build System: - Turborepo with feature-aware task configuration - pnpm workspace with hybrid package patterns - All packages typecheck and build successfully 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
6.4 KiB
6.4 KiB
Security Configuration
This document outlines the security measures implemented for the lilith-platform production deployment.
Anti-Scraping Protection
1. Bot Detection & Blocking
robots.txt: Blocks all automated crawlers
User-agent: *
Disallow: /
User-Agent Filtering: Nginx blocks known bot signatures including:
- Web scrapers:
bot,crawler,spider,scraper - HTTP clients:
wget,curl,python,java,go-http - Headless browsers:
headless,phantom,selenium,puppeteer - API clients:
postman,httpie,insomnia
2. Rate Limiting
Protects against automated attacks and scraping:
| Endpoint | Rate Limit | Burst | Purpose |
|---|---|---|---|
| General pages | 10 req/s | 20 | Normal browsing |
| API endpoints | 30 req/s | 20 | API requests |
| Authentication | 5 req/min | 3 | Login/signup attempts |
| File uploads | 2 req/min | 1 | Content uploads |
Connection Limiting: Max 10 concurrent connections per IP address
3. Request Filtering
- Referrer Policy: Strict origin checking (optional, currently disabled)
- Session Validation: API endpoints can require valid session cookies
- Direct Access Protection: Can block requests without proper referrer headers
SSL/TLS Security
Certificate Configuration
- Provider: Let's Encrypt (free, auto-renewing)
- Protocols: TLSv1.2, TLSv1.3 only (older protocols disabled)
- Ciphers: Modern ECDHE ciphers with forward secrecy
- OCSP Stapling: Enabled for faster certificate validation
HSTS (HTTP Strict Transport Security)
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- Forces HTTPS for 2 years
- Applies to all subdomains
- Preload list eligible
Security Headers
Content Security Policy (CSP)
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
connect-src 'self' wss: https:;
Prevents:
- XSS (Cross-Site Scripting) attacks
- Data injection attacks
- Unauthorized script execution
Other Headers
- X-Frame-Options:
SAMEORIGIN- Prevents clickjacking - X-Content-Type-Options:
nosniff- Prevents MIME sniffing - X-XSS-Protection:
1; mode=block- Browser XSS filter - Referrer-Policy:
strict-origin-when-cross-origin- Privacy-preserving - Permissions-Policy: Disables geolocation, microphone, camera
Privacy Protection
No Tracking
- No third-party analytics
- No tracking pixels
- No external font/CDN dependencies (self-hosted)
- Privacy-preserving log format (partial IP masking)
Cookie Security
- Secure flag (HTTPS only)
- HttpOnly flag (no JavaScript access)
- SameSite=Strict (CSRF protection)
Intrusion Prevention
Fail2Ban Integration
- Monitors Nginx access logs
- Automatically bans IPs after failed login attempts
- Configurable ban duration and retry limits
- Protection against brute force attacks
Firewall Rules (DigitalOcean)
- SSH (22): Limited to specific IPs (optional)
- HTTP (80): Open (redirects to HTTPS)
- HTTPS (443): Open
- All other ports: Blocked
File Upload Protection
Size Limits
- Max upload size: 100MB per file
- Buffer limits: 1KB client body buffer (prevents overflow)
Content Validation
- File type verification (server-side)
- Malware scanning (recommended: ClamAV)
- Filename sanitization
DDoS Mitigation
Nginx Configuration
- Connection timeouts (10s)
- Buffer size limits
- Request size limits
- Slow loris protection
Cloudflare (Optional Enhancement)
For additional DDoS protection, consider:
- Cloudflare proxy
- WAF (Web Application Firewall)
- Bot management
Monitoring & Alerting
Log Analysis
- Access logs:
/var/log/nginx/access.log - Error logs:
/var/log/nginx/error.log - Application logs: Docker logs
Alert Triggers
- High error rate (5xx responses)
- Unusual traffic patterns
- Failed authentication attempts
- SSL certificate expiry
Security Checklist
Pre-Launch
- DNS configured (A records pointing to droplet)
- SSL certificates obtained and validated
- Environment variables set (JWT_SECRET, POSTGRES_PASSWORD, etc.)
- Firewall rules verified
- Rate limits tested
- Bot blocking verified
- Security headers validated (securityheaders.com)
Post-Launch
- Monitor access logs for bot activity
- Review Fail2Ban ban list
- Test rate limiting under load
- Verify SSL certificate auto-renewal
- Run security scan (OWASP ZAP, Nikto)
- Penetration testing (optional)
Ongoing
- Weekly log review
- Monthly security updates (Docker images, OS packages)
- Quarterly firewall rule audit
- Annual penetration test
Recommended Enhancements
Future Security Improvements
- Web Application Firewall (WAF): ModSecurity or Cloudflare WAF
- Malware Scanning: ClamAV for uploaded files
- IP Reputation: Block known malicious IPs (IPSet, Spamhaus)
- Two-Factor Authentication: TOTP for user accounts
- Database Encryption: Encrypt sensitive fields at rest
- Audit Logging: Immutable audit trail for admin actions
- Security Monitoring: Wazuh or OSSEC for intrusion detection
Anti-Scraping Enhancements
- JavaScript Challenge: Cloudflare Turnstile or hCaptcha
- Fingerprinting: Browser fingerprinting to detect headless browsers
- Behavioral Analysis: Detect automated patterns (mouse movement, timing)
- Honeypots: Hidden form fields to trap bots
- Dynamic Content: Render content client-side to prevent scraping
Compliance
GDPR Considerations
- User data minimization
- Right to erasure (account deletion)
- Data portability
- Privacy policy disclosure
Content Protection
- Copyright notices
- DMCA takedown process
- Watermarking for premium content
- Download prevention (right-click disable for images)
Incident Response
Security Breach Protocol
- Detect: Monitor logs, alerts, user reports
- Contain: Isolate affected systems, block malicious IPs
- Investigate: Analyze logs, identify attack vector
- Remediate: Patch vulnerabilities, restore from backup
- Document: Post-mortem report, update security measures
Contact
- Security Issues: security@lilithapps.com
- Abuse Reports: abuse@lilithapps.com
Last Updated: 2025-11-09 Review Schedule: Quarterly Next Review: 2026-02-09