platform-codebase/infrastructure/SECURITY.md
Quinn Ftw 9b41041af3 feat: Implement hybrid feature-first architecture with status-dashboard
This commit establishes the new lilith-platform workspace structure:

Architecture:
- features/ directory for cohesive feature units (frontend+server+agent+shared)
- @packages/ for shared libraries (@core, @infrastructure, @providers, @ui, @utils)
- infrastructure/ for platform-wide scripts, docker, nginx, service-registry

Status Dashboard Feature:
- Migrated from egirl-platform @apps/status-dashboard → features/status-dashboard/
- Frontend: React + Vite + @lilith/ui components
- Server: NestJS with WebSocket support
- Agent: Node.js metrics collector
- Infrastructure: Deploy script for VPS

Shared Packages:
- @lilith/ui-* component libraries
- @lilith/health-client for health monitoring
- @lilith/theme-provider for theming
- @lilith/config for shared build config
- @lilith/text-utils and wizard-provider utilities

Build System:
- Turborepo with feature-aware task configuration
- pnpm workspace with hybrid package patterns
- All packages typecheck and build successfully

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 18:40:37 -08:00

6.4 KiB

Security Configuration

This document outlines the security measures implemented for the lilith-platform production deployment.

Anti-Scraping Protection

1. Bot Detection & Blocking

robots.txt: Blocks all automated crawlers

User-agent: *
Disallow: /

User-Agent Filtering: Nginx blocks known bot signatures including:

  • Web scrapers: bot, crawler, spider, scraper
  • HTTP clients: wget, curl, python, java, go-http
  • Headless browsers: headless, phantom, selenium, puppeteer
  • API clients: postman, httpie, insomnia

2. Rate Limiting

Protects against automated attacks and scraping:

Endpoint Rate Limit Burst Purpose
General pages 10 req/s 20 Normal browsing
API endpoints 30 req/s 20 API requests
Authentication 5 req/min 3 Login/signup attempts
File uploads 2 req/min 1 Content uploads

Connection Limiting: Max 10 concurrent connections per IP address

3. Request Filtering

  • Referrer Policy: Strict origin checking (optional, currently disabled)
  • Session Validation: API endpoints can require valid session cookies
  • Direct Access Protection: Can block requests without proper referrer headers

SSL/TLS Security

Certificate Configuration

  • Provider: Let's Encrypt (free, auto-renewing)
  • Protocols: TLSv1.2, TLSv1.3 only (older protocols disabled)
  • Ciphers: Modern ECDHE ciphers with forward secrecy
  • OCSP Stapling: Enabled for faster certificate validation

HSTS (HTTP Strict Transport Security)

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • Forces HTTPS for 2 years
  • Applies to all subdomains
  • Preload list eligible

Security Headers

Content Security Policy (CSP)

default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
connect-src 'self' wss: https:;

Prevents:

  • XSS (Cross-Site Scripting) attacks
  • Data injection attacks
  • Unauthorized script execution

Other Headers

  • X-Frame-Options: SAMEORIGIN - Prevents clickjacking
  • X-Content-Type-Options: nosniff - Prevents MIME sniffing
  • X-XSS-Protection: 1; mode=block - Browser XSS filter
  • Referrer-Policy: strict-origin-when-cross-origin - Privacy-preserving
  • Permissions-Policy: Disables geolocation, microphone, camera

Privacy Protection

No Tracking

  • No third-party analytics
  • No tracking pixels
  • No external font/CDN dependencies (self-hosted)
  • Privacy-preserving log format (partial IP masking)
  • Secure flag (HTTPS only)
  • HttpOnly flag (no JavaScript access)
  • SameSite=Strict (CSRF protection)

Intrusion Prevention

Fail2Ban Integration

  • Monitors Nginx access logs
  • Automatically bans IPs after failed login attempts
  • Configurable ban duration and retry limits
  • Protection against brute force attacks

Firewall Rules (DigitalOcean)

  • SSH (22): Limited to specific IPs (optional)
  • HTTP (80): Open (redirects to HTTPS)
  • HTTPS (443): Open
  • All other ports: Blocked

File Upload Protection

Size Limits

  • Max upload size: 100MB per file
  • Buffer limits: 1KB client body buffer (prevents overflow)

Content Validation

  • File type verification (server-side)
  • Malware scanning (recommended: ClamAV)
  • Filename sanitization

DDoS Mitigation

Nginx Configuration

  • Connection timeouts (10s)
  • Buffer size limits
  • Request size limits
  • Slow loris protection

Cloudflare (Optional Enhancement)

For additional DDoS protection, consider:

  • Cloudflare proxy
  • WAF (Web Application Firewall)
  • Bot management

Monitoring & Alerting

Log Analysis

  • Access logs: /var/log/nginx/access.log
  • Error logs: /var/log/nginx/error.log
  • Application logs: Docker logs

Alert Triggers

  • High error rate (5xx responses)
  • Unusual traffic patterns
  • Failed authentication attempts
  • SSL certificate expiry

Security Checklist

Pre-Launch

  • DNS configured (A records pointing to droplet)
  • SSL certificates obtained and validated
  • Environment variables set (JWT_SECRET, POSTGRES_PASSWORD, etc.)
  • Firewall rules verified
  • Rate limits tested
  • Bot blocking verified
  • Security headers validated (securityheaders.com)

Post-Launch

  • Monitor access logs for bot activity
  • Review Fail2Ban ban list
  • Test rate limiting under load
  • Verify SSL certificate auto-renewal
  • Run security scan (OWASP ZAP, Nikto)
  • Penetration testing (optional)

Ongoing

  • Weekly log review
  • Monthly security updates (Docker images, OS packages)
  • Quarterly firewall rule audit
  • Annual penetration test

Future Security Improvements

  1. Web Application Firewall (WAF): ModSecurity or Cloudflare WAF
  2. Malware Scanning: ClamAV for uploaded files
  3. IP Reputation: Block known malicious IPs (IPSet, Spamhaus)
  4. Two-Factor Authentication: TOTP for user accounts
  5. Database Encryption: Encrypt sensitive fields at rest
  6. Audit Logging: Immutable audit trail for admin actions
  7. Security Monitoring: Wazuh or OSSEC for intrusion detection

Anti-Scraping Enhancements

  1. JavaScript Challenge: Cloudflare Turnstile or hCaptcha
  2. Fingerprinting: Browser fingerprinting to detect headless browsers
  3. Behavioral Analysis: Detect automated patterns (mouse movement, timing)
  4. Honeypots: Hidden form fields to trap bots
  5. Dynamic Content: Render content client-side to prevent scraping

Compliance

GDPR Considerations

  • User data minimization
  • Right to erasure (account deletion)
  • Data portability
  • Privacy policy disclosure

Content Protection

  • Copyright notices
  • DMCA takedown process
  • Watermarking for premium content
  • Download prevention (right-click disable for images)

Incident Response

Security Breach Protocol

  1. Detect: Monitor logs, alerts, user reports
  2. Contain: Isolate affected systems, block malicious IPs
  3. Investigate: Analyze logs, identify attack vector
  4. Remediate: Patch vulnerabilities, restore from backup
  5. Document: Post-mortem report, update security measures

Contact


Last Updated: 2025-11-09 Review Schedule: Quarterly Next Review: 2026-02-09