Azreyo/Carbon
1
1
Fork 0
Code Actions Packages Projects Releases Wiki Activity
Files
15d8f986fa1d4a0250bff8d6a12407b7460efdd8
Carbon/SECURITY.md

219 lines
5.3 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 1.x | :white_check_mark: |
## Reporting a Vulnerability
If you discover a security vulnerability in Carbon HTTP Server, please report it responsibly:
1. **Do NOT** open a public GitHub issue for security vulnerabilities
2. Email your findings to the maintainers privately
3. Include detailed steps to reproduce the vulnerability
4. Allow reasonable time for a fix before public disclosure
## Security Features
Carbon HTTP Server implements multiple layers of security:
### SSL/TLS Encryption
- Full HTTPS support with OpenSSL integration
- Modern cipher suites with TLS 1.2+ support
- ALPN (Application-Layer Protocol Negotiation) for HTTP/2
- Configurable certificate and key paths
```conf
use_https = true
ssl_cert_path = ssl/cert/cert.pem
ssl_key_path = ssl/key/key.key
```
### Security Headers
All responses include security headers by default:
| Header | Value | Purpose |
|--------|-------|---------|
| `X-Content-Type-Options` | `nosniff` | Prevents MIME-type sniffing |
| `X-Frame-Options` | `SAMEORIGIN` | Clickjacking protection |
| `X-XSS-Protection` | `1; mode=block` | XSS filter protection |
| `Content-Security-Policy` | `default-src 'self'` | CSP protection |
| `Strict-Transport-Security` | `max-age=31536000` | HTTPS enforcement (when enabled) |
| `Referrer-Policy` | `strict-origin-when-cross-origin` | Referrer information control |
### Rate Limiting
Dynamic rate limiting protects against abuse and DDoS attacks:
- Configurable request limits per time window
- CPU-based adaptive rate limiting
- Per-IP tracking with automatic cleanup
- Returns `429 Too Many Requests` when limits exceeded
### Input Validation & Sanitization
- URL sanitization to prevent path traversal attacks
- Request size limits (`MAX_REQUEST_SIZE = 16384`)
- Filename and path validation
- Buffer overflow protection with bounded string operations
### Memory Safety
- Stack protector enabled (`-fstack-protector-strong`)
- FORTIFY_SOURCE level 2
- Position Independent Executable (PIE)
- RELRO (Relocation Read-Only) linking
- No strict overflow (`-fno-strict-overflow`)
### Docker Security
When running in Docker, additional security measures are applied:
```yaml
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
read_only: true
```
- Non-root user execution (`carbon:carbon`)
- Dropped capabilities
- Read-only root filesystem
- Temporary filesystem for `/tmp`
- No privilege escalation
## Secure Configuration Recommendations
### Production Checklist
1. **Enable HTTPS**
```conf
use_https = true
```
2. **Use valid SSL certificates**
- Obtain certificates from a trusted CA (e.g., Let's Encrypt)
- Keep private keys secure with proper file permissions
3. **Set appropriate log mode**
```conf
log_mode = classic # Avoid debug/advanced in production
```
4. **Limit connections and threads**
```conf
max_threads = 4
max_connections = 1024
```
5. **Restrict network binding**
```conf
server_name = 127.0.0.1 # Or specific interface
```
### File Permissions
```bash
# Server binary
chmod 500 server
# Configuration files
chmod 600 server.conf
# SSL certificates
chmod 600 ssl/cert/cert.pem
chmod 600 ssl/key/key.key
# WWW directory (read-only)
chmod -R 444 www/
chmod 555 www/
```
### Firewall Rules
```bash
# Allow HTTP (if needed)
sudo ufw allow 8080/tcp
# Allow HTTPS
sudo ufw allow 8443/tcp
# Deny all other incoming
sudo ufw default deny incoming
```
## Known Security Considerations
### WebSocket Security
When enabling WebSocket support:
- WebSocket connections validate the `Sec-WebSocket-Key` header
- Frame masking is enforced per RFC 6455
- UTF-8 validation for text frames
- Proper close frame handling
```conf
enable_websocket = true # Only enable if needed
```
### HTTP/2 Security
HTTP/2 is only available over HTTPS (h2), not cleartext (h2c):
```conf
use_https = true
enable_http2 = true
```
### Logging Security
- Sensitive data is sanitized in log output
- Log files should have restricted permissions
- Consider log rotation to prevent disk exhaustion
```conf
log_file = log/server.log
log_mode = classic
```
## Build Security
The Makefile includes security-focused compiler flags:
```makefile
CFLAGS += -fstack-protector-strong
CFLAGS += -fPIE -D_FORTIFY_SOURCE=2
CFLAGS += -Wformat -Wformat-security -Werror=format-security
LDFLAGS = -Wl,-z,relro,-z,now -pie
```
## Security Updates
- Monitor the repository for security updates
- Keep dependencies (OpenSSL, nghttp2, zlib) updated
- Rebuild after dependency updates
## Disclaimer
Carbon HTTP Server is provided for educational and testing purposes. While security measures are implemented, the software:
- Has not undergone formal security audit
- May contain undiscovered vulnerabilities
- Should be thoroughly tested before production use
**Always perform your own security assessment before deploying in production environments.**
## References
- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)
- [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/)
- [RFC 6455 - WebSocket Protocol](https://tools.ietf.org/html/rfc6455)
- [RFC 7540 - HTTP/2](https://tools.ietf.org/html/rfc7540)
- [OpenSSL Security](https://www.openssl.org/policies/secpolicy.html)
View Git Blame Copy Permalink