stremio-beamup icon indicating copy to clipboard operation
stremio-beamup copied to clipboard

Published 20 hours ago verified publisher icon Stremio

security hardening

Open Ivshti opened this issue 4 years ago • 0 comments

  • [ ] check if git hooks can run arbitrary code on push, in the way they're configured by dokku; in other words, can you inject code via git hooks
  • [ ] dokku allows nginx config to be customized; while we don't use that config as we just auto-configure nginx on the swarm, can the nginx config customization feature be used to attack the deployer? perhaps by hijacking port 5000
    • in any case, better to disallow it
  • [ ] customize the default dokku CHECK so that it ensures what you're pushing is an addon
  • [ ] limit size of docker images and containers
    • harder than it initially looks cause this is no longe rsupported on the default storage driver (overlayfs) unless you're running xfs underneath
  • [ ] nginx: short timeouts, 5-10 seconds
  • [x] firewall: only expose 80 (or 443) from the swarm, only 22 from the deployer

Ivshti avatar Apr 15 '20 17:04 Ivshti