docs/SECURITY.md
2022-08-17 17:36:36 +02:00

1.4 KiB

LAYLO Code - Secure, resilient, privacy-friendly code hosting

This document gives an overview to the applied security standards that are in use on code.laylo.cloud.

Global

  • The OS and software is updated every week (Thursdays, 22:00 - 23:59 CEST).
  • The storage on the server is fully encrypted, both in OpenStack and the VM itself (the latter one using AES-XTS-256, see misc/softraid.pdf for the specification).
  • The server solely runs the Gitea stack (with Nginx and PostgreSQL), thus preventing additional attack surface.

Web front-end

  • Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS).
  • TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption, with the following ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM and with HSTS.

Networking

  • The server itself is strictly firewalled (using pf(8)), both egress and ingress - on a daemon/service level.
  • Internal service communication is encrypted (eg: Gitea is configured to connect to the local PostgreSQL server using TLS).

Etc

  • Backups are made every 24 hours, using a 'pull mechanism'. This server does NOT have access to the backup repository.
  • SSH is hardened (PKI authentication, MFA via hardware tokens, highest level ciphersuites).