From 94f935c2ea28baffd6b4365a0a58584d7d09e607 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Sat, 4 Sep 2021 20:18:29 +0100 Subject: [PATCH] :memo: Updates privacy and security docs --- .github/SECURITY.md | 6 ++++++ docs/privacy.md | 12 ++++++++++++ 2 files changed, 18 insertions(+) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 3b9ba613..8562c545 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -27,3 +27,9 @@ Please use only English. ## Issues That Should Not Be Raised Please do not raise issues in this repo which relate to Vue or Vue CLI, we're already using the latest versions of these dependencies, so any issues here to be taken up with Vue. The same applies to other dev dependencies that are at the latest version. + +## Known Issues + +> **01/09/2021** - [Inefficient Regular Expression Complexity](https://www.huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/) in Axios (Re: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)). + +This ReDos vuln, was raised and fixed by @ready-research in Axios in August 2021. The issue was resolved in [`5b45711`](https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929), but Snyk sometime just takes a while to show updates. Dashy is using the latest version of Axios, and so is not affected by this issue. diff --git a/docs/privacy.md b/docs/privacy.md index 2e789816..18bb15d7 100644 --- a/docs/privacy.md +++ b/docs/privacy.md @@ -95,6 +95,18 @@ This is covered in more detail in [App Management](/docs/management.md). --- +## Security Features + +#### Subresource Integrity +[Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) or SRI is a security feature that enables browsers to verify that resources they fetch are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match. This prevents the app from loading any resources that have been manipulated, by verifying the files hashes. It safeguards against the risk of an attacker injecting arbitrary malicious content into any files served up via a CDN. + +Dashy supports SRI, and it is recommended to enable this if you are hosting your dashboard via a public CDN. To enable SRI, set the `INTEGRITY` environmental variable to `true`. + +#### Authentication +Dashy supports both basic auth, as well as server-based SSO using Keycloak. Full details of which, along with alternate authentication methods can be found in the [Authentication Docs](/docs/authentication.md). If your dashboard is exposed to the internet and/ or contains any sensitive info it is strongly recommended to configure access control with Keycloak or another server-side method. + +--- + ## Reporting a Security Issue If you think you've found a critical issue with Dashy, please send an email to `security@mail.alicia.omg.lol`. You can encrypt it, using [`0688 F8D3 4587 D954 E9E5 1FB8 FEDB 68F5 5C02 83A7`](https://keybase.io/aliciasykes/pgp_keys.asc?fingerprint=0688f8d34587d954e9e51fb8fedb68f55c0283a7). You should receive a response within 48 hours.