github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Docs sec controls (#1018)

Browse Source 
* add security controls document

* Add sec controls doc
This commit is contained in:
Jamil
2022-10-13 14:59:41 -05:00
committed by GitHub
parent bcc9331229
commit 448ef072e5
2 changed files with 73 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/fz_http/lib/fz_http_web/router.ex
View File

@@ -5,7 +5,7 @@ defmodule FzHttpWeb.Router do
use FzHttpWeb, :router
# Limit total requests to 20 per every 10 seconds
# Limit total requests to 50 per every 10 seconds
@root_rate_limit [rate_limit: {"root", 10_000, 50}, by: :ip]
pipeline :browser do

72
docs/docs/reference/security-controls.mdx Normal file
View File

@@ -0,0 +1,72 @@
---
title: Security Controls
sidebar_position: 10
---
Firezone employs a few different security controls to keep data secure in
transit and at rest.
## Overview of Cryptography Used
Below is a table of cryptography used and to which contexts they apply.
| Cryptography | Context | Notes |
| --- | --- | |
| AES-GCM | Data at rest | Used to encrypt sensitive database fields such as device preshared keys and multi-factor authentication secrets. |
| Argon2 | Data at rest | Used to hash user passwords for the local authentication method. |
| TLSv1.2/TLSv1.3 | Data in transit | Used by the Caddy server to encrypt HTTP connections to the portal. Read more at https://caddyserver.com/docs/caddyfile/directives/tls. SSL certificates are provisioned automatically with the ACME protocol by Let's Encrypt by default. |
| ChaCha20, Poly1305, Curve25519, BLAKE2s, SipHash24, HKDF | Data in transit | Used by WireGuard® for VPN tunnels. Read more at https://wireguard.com/protocol. Firezone uses Linux kernel WireGuard without modification. |
## Rate Limiting
Firezone employs HTTP rate limiting to help limit the effectiveness of brute
force attacks against the web portal. Requests from a single IP are
limited to 5 per second before Firezone responds with an
`HTTP 429: Too Many Requests`.
## Security Policy
We take security issues very seriously and strive to fix all security issues
as soon as they're reported.
### Announcements
We'll announce major security issues on our security mailing list located at:
https://discourse.firez.one
### Supported Versions
We release security patches for supported versions of Firezone. We recommend
running the latest version of Firezone at all times.
### Reporting a Vulnerability
Please **do not** open a Github Issue for security issues you encounter.
Instead, please send an email to `security AT firezone.dev` describing the issue
and we'll respond as soon as possible.
### PGP Key
You may use the public key below to encrypt emails to `security AT firezone.dev`.
You can also find this key at:
https://pgp.mit.edu/pks/lookup?op=get&search=0x45113BA04AD83D8A
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu
mDMEYYwK5BYJKwYBBAHaRw8BAQdA4ooDpwDy3V0wHCftM/LHD5e713LSr0SQy49joUMgHoS0
JkZpcmV6b25lIFNlY3VyaXR5IDxzZWN1cml0eUBmaXJlei5vbmU+iJoEExYKAEIWIQQlD4tW
gEEHBC38anNFETugStg9igUCYYwK5AIbAwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwEC
HgcCF4AACgkQRRE7oErYPYoORwEAiYi3arrcR2e5OfqsoAbCN0O6M0HWeo1K/ZoFWH2jLy0B
AMsWk58vepKqNhUKhuDb8bSjK8TOr/IxB63lSkQaz9MIuDgEYYwK5BIKKwYBBAGXVQEFAQEH
QPLzia/me7FOsFfAJKWm0X1qC5byv2GWn6LZPV013AdoAwEIB4h+BBgWCgAmFiEEJQ+LVoBB
BwQt/GpzRRE7oErYPYoFAmGMCuQCGwwFCQPCZwAACgkQRRE7oErYPYr0ZQEAig86wu+zrNiT
B4t3dk3psHRj+Kdn4uURLjUBZqYNvXoA+QEBUPtP7hNjum+1FrzYmHUFdCBA/cszz7x7PQ36
5gcE
=0gEr
-----END PGP PUBLIC KEY BLOCK-----
```