Update README
This commit is contained in:
parent
a0cffafce2
commit
0d462fb147
24
SECURITY.md
Normal file
24
SECURITY.md
Normal file
@ -0,0 +1,24 @@
|
||||
## LAYLO Code - Secure, resilient, privacy-friendly code hosting
|
||||
|
||||
This document gives an overview to the applied security standards that are in use on `code.laylo.cloud`.
|
||||
|
||||
### Global
|
||||
|
||||
- The OS and software is updated every week (Thursdays, 22:00 - 23:59 CEST).
|
||||
- The storage on the server is fully encrypted, both in OpenStack and the VM itself (the latter one using `AES-XTS-256`, see misc/softraid.pdf for the specification).
|
||||
- The server _solely_ runs the Gitea stack (with Nginx and PostgreSQL), thus preventing additional attack surface.
|
||||
|
||||
### Web front-end
|
||||
|
||||
- Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS).
|
||||
- TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption, with the following ciphers: `ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM` and with HSTS.
|
||||
|
||||
### Networking
|
||||
|
||||
- The server itself is strictly firewalled (using `pf(8)`), both egress and ingress - on a daemon/service level.
|
||||
- Internal service communication is encrypted (eg: Gitea is configured to connect to the local PostgreSQL server using TLS).
|
||||
|
||||
### Etc
|
||||
|
||||
- Backups are made every 24 hours, using a 'pull mechanism'. This server does **NOT** have access to the backup repository.
|
||||
- SSH is hardened (PKI authentication, MFA via hardware tokens, highest level ciphersuites).
|
BIN
misc/softraid.pdf
Normal file
BIN
misc/softraid.pdf
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user