Gronod
dcf613446e
README.md: - Node prerequisite: v12+ → v22+ - Real-Time Updates: describe SSE push, remove polling/refresh-selector wording - On-demand mode: update for SSE connect triggering poll - API Endpoints: add /stream, /me, /csrf, /user-summary, /status, /cover-art - Remove stale /api/qbittorrent proxy entry - Docker tags: update to 1.0.x SECURITY.md: - Supported versions: add 1.0.x, retire 0.2.x - CSP header: add style-src-attr 'unsafe-inline' - Nginx example: add proxy_buffering off / proxy_read_timeout for SSE Diagrams: - seq-dashboard.puml: rewrite as SSE stream sequence (connect, initial payload, pushed updates, heartbeat, disconnect) - seq-polling.puml: add SSE subscriber notification step after cache population - state-ui.puml: replace Refresh Rate sub-state with SSE Connection state machine; update splash loading and logout transitions - state-poller.puml: add Notifying SSE subscribers step in Polling state package.json: bump to 1.0.0
5.2 KiB
5.2 KiB
Security Policy & Hardening Guide
Supported Versions
| Version | Supported |
|---|---|
| 1.0.x | ✅ Yes |
| 0.2.x | ❌ No |
| 0.1.x | ❌ No |
Reporting a Vulnerability
Please do not open a public issue for security vulnerabilities. Email: gordon@i3omb.com — expect acknowledgement within 48 hours.
Threat Model
sofarr is a personal dashboard intended for a small trusted group (household/team). It proxies requests to *arr stack services using stored API keys and authenticates users via Emby. The primary threat surface when exposed to the public internet:
| Threat | Mitigations |
|---|---|
| Credential brute-force | Rate limiting (10 fails/15 min per IP), account lockout window |
| Session hijacking | HMAC-signed cookies, httpOnly, secure, sameSite=strict, short TTL |
| CSRF | Double-submit cookie pattern (X-CSRF-Token header required on all mutations) |
| API key leakage via errors | sanitizeError() redacts keys/tokens from all error responses and logs |
| Token theft after logout | Server-side token store; Emby token revoked on logout |
| XSS → token theft | httpOnly cookies; CSP with per-request nonce blocks inline injection |
| Clickjacking | X-Frame-Options: DENY + CSP frame-ancestors 'none' |
| Info disclosure via headers | Helmet v7 removes X-Powered-By, sets noSniff, xssFilter, etc. |
| Privilege escalation (container) | Non-root user (UID 1000), no-new-privileges, all caps dropped |
| Unbounded log growth | Size-based rotation: 10 MB cap, 3 rotated files kept |
| Dependency vulnerabilities | npm audit --audit-level=high in CI on every push |
Production Deployment Checklist
Required
COOKIE_SECRETset to a random 32-byte hex string (openssl rand -hex 32)NODE_ENV=productionTRUST_PROXY=1set if behind a reverse proxy- sofarr bound to
127.0.0.1only (not0.0.0.0) — expose via proxy - HTTPS enforced by the reverse proxy with a valid certificate
- Firewall rules: only 443/80 open externally; 3001 not directly exposed
Recommended
- Reverse proxy: Nginx, Caddy, or Traefik with TLS termination
- Set
Strict-Transport-Securityat proxy level (sofarr also sends HSTS) DATA_DIRon a named Docker volume (not bind-mounted to sensitive host path)- Rotate
COOKIE_SECRETperiodically (causes all users to re-login) - Enable Docker's
--read-onlyflag (already indocker-compose.yaml) - Monitor
/healthendpoint with an uptime checker
Docker Secrets (alternative to env vars)
For production environments that support Docker secrets, you can mount secret files and reference them:
secrets:
cookie_secret:
file: ./secrets/cookie_secret.txt
emby_api_key:
file: ./secrets/emby_api_key.txt
services:
sofarr:
secrets:
- cookie_secret
- emby_api_key
environment:
- COOKIE_SECRET_FILE=/run/secrets/cookie_secret
- EMBY_API_KEY_FILE=/run/secrets/emby_api_key
Note: File-based secret loading requires application code support. Currently sofarr reads secrets from environment variables only. Mounting secrets as env vars (via
environment:in compose) is the current supported approach.
Reverse Proxy Example (Caddy)
sofarr.example.com {
reverse_proxy localhost:3001
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Robots-Tag "noindex, nofollow"
}
}
Reverse Proxy Example (Nginx)
server {
listen 443 ssl;
server_name sofarr.example.com;
ssl_certificate /etc/letsencrypt/live/sofarr.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sofarr.example.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:3001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Required for SSE (Server-Sent Events) — disable response buffering
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 3600s;
}
}
Security Headers (emitted by sofarr)
| Header | Value |
|---|---|
Content-Security-Policy |
default-src 'self'; script-src 'self' 'nonce-…'; style-src 'self' 'nonce-…'; style-src-attr 'unsafe-inline'; img-src 'self' data: blob:; object-src 'none'; frame-ancestors 'none' |
Strict-Transport-Security |
max-age=31536000; includeSubDomains; preload (production only) |
X-Content-Type-Options |
nosniff |
X-Frame-Options |
DENY |
Referrer-Policy |
strict-origin-when-cross-origin |
Permissions-Policy |
camera=(), microphone=(), geolocation=(), payment=(), usb=() |
Rate Limits
| Endpoint | Limit |
|---|---|
POST /api/auth/login |
10 failed attempts per 15 min per IP |
All /api/* routes |
300 requests per 15 min per IP |
Supply Chain
- All dependencies pinned to minor version ranges in
package.json npm audit --audit-level=highruns in CI on every push and pull requestnpm audit fixshould be run when vulnerabilities are reported