python-support-infra/stacks/site-support/SECURITY.md

1.5 KiB

Security

Here follows an explanation of security practices taken into account.

Refer to https://docs.docker.com/compose/compose-file/compose-file-v3/ for explanations of individual points.

Rootness

The container process runs as 5000:5000. No processes are run as root within the container.

Port Exposure

The container participates in the private mesh_public overlay network. This allows the reverse proxy, Traefik, to route traffic via. internal DNS.

This traffic is unencrypted HTTP. Thus, the overlay network must be run on a trusted (L3) network.

Volume Access

Only localtime and timezone are mounted (read-only).

All files to be served are either baked into the container image, or mounted with docker config.

Resource Limits

The service employs CPU/Memory usage limits in the deploy section.

This helps prevent a DDoS attack from crashing the entire host.

Capabilities

All capabilities are dropped with --cap_drop ALL.

No capabilities need to be added back, so none are.

security.txt

See https://securitytxt.org/ for RFC + generator.

This stack comes with a security.txt generator in scripts__security_txt, which:

  • Templates mail contact, expiry, GPG public key link, and canonical path.
  • Signs the file with the GPG private key referenced in the link.

To use it, first adjust the following block in gen.py:

MAILTO = 
EXPIRY = 
MAILTO_PGP_FINGERPRINT = 
DEPLOY_DOMAIN = 

Then, run ./gen.py from any working directory. Remember to review the generated file, and update docker config.