gui.do / barazo-deploy
Barazo Docker Compose templates for self-hosting barazo.forum
fork atom
barazo-deploy / .github / SECURITY.md
at main 3.4 kB view raw view code
Guido X Jansen docs(security): add repo-specific security scope and practices (#11)
33396b99

Security Policy#

Supported Versions#

Version Supported
1.x
< 1.0

Reporting a Vulnerability#

Do not open a public issue for security vulnerabilities.

Instead, use GitHub's private vulnerability reporting:

  1. Go to the repository
  2. Click "Security" tab
  3. Click "Report a vulnerability"
  4. Fill in the details

Or email: security@barazo.forum

We will respond within 72 hours with next steps.

Security Scope for This Repo#

barazo-deploy contains Docker Compose templates, Caddyfile, and operational scripts. The following areas are in scope for security reports:

Container Security#

  • Exposed ports -- services other than Caddy (ports 80/443) reachable from external networks
  • Network segmentation bypass -- backend services (PostgreSQL, Valkey) accessible from the frontend network
  • Privileged containers -- containers running with elevated privileges or unnecessary capabilities
  • Non-root violations -- containers running as root when they should not be
  • Base image vulnerabilities -- known CVEs in the Docker images referenced by compose files

Secret Management#

  • Secrets in compose files -- passwords, API keys, or tokens hardcoded in docker-compose.yml or Caddyfile
  • Default credentials -- real passwords or tokens shipped as defaults (all defaults must be clearly marked as development-only)
  • .env file exposure -- .env files committed to Git or accessible via web server
  • Backup encryption bypass -- backup scripts producing unencrypted output when encryption is expected

Caddy / Reverse Proxy#

  • SSL misconfiguration -- weak TLS settings, missing HSTS, expired certificates
  • Admin API exposure -- Caddy admin API accessible externally (should be disabled with admin off)
  • Internal endpoint exposure -- health check or debug endpoints reachable from outside the Docker network
  • Path traversal -- reverse proxy routing that exposes unintended backend paths

Operational Scripts#

  • Command injection -- user-controlled input in backup.sh, restore.sh, or smoke-test.sh reaching shell execution without sanitization
  • Unsafe file operations -- scripts following symlinks, writing to attacker-controlled paths, or using predictable temp file names
  • Credential leakage in logs -- scripts logging passwords or tokens to stdout/stderr

Valkey Hardening#

  • Dangerous command access -- FLUSHALL, FLUSHDB, CONFIG, DEBUG, or KEYS commands not properly disabled
  • Authentication bypass -- connecting to Valkey without the required password

Security Practices#

  • Only Caddy exposed externally (ports 80, 443)
  • Two-network segmentation (frontend + backend)
  • Caddy admin API disabled (admin off)
  • /api/health/ready blocked at Caddy level (internal monitoring only)
  • Valkey dangerous commands renamed/disabled
  • Secrets via environment variables only (never in compose files)
  • .env in .gitignore (.env.example uses CHANGE_ME placeholders)
  • Backup encryption via age (mandatory for off-server storage)
  • Dependencies monitored weekly via Dependabot (base images + GitHub Actions)

Disclosure Policy#

We follow responsible disclosure:

  • 90 days before public disclosure
  • Credit given to reporter (if desired)
  • CVE assigned when applicable