Squashed from chore/license-relicense. Full message preserved in the original branch commitbb77eb5. See ADR-0002 for the decision rationale. Refs: ADR-0002, commitbb77eb5
80 lines
2.4 KiB
Markdown
80 lines
2.4 KiB
Markdown
[//]: # (SPDX-License-Identifier: MIT)
|
|
[//]: # (Copyright (c) 2026 Rug Munch Media LLC)
|
|
# SECURITY.md — PryScraper
|
|
|
|
> Threat model, secrets, auth, rate limiting, vuln disclosure.
|
|
|
|
## Threat Model
|
|
|
|
### Assets
|
|
- User wallets (private keys never touch our servers — verified by signature)
|
|
- API keys (gopass)
|
|
- DB credentials (gopass)
|
|
- Reputation (RMM LLC brand)
|
|
|
|
### Threats
|
|
1. **Secret leak to git** — gitleaks pre-commit hook + history scan on incidents
|
|
2. **SQL injection** — SQLAlchemy ORM + parameter binding only
|
|
3. **XSS** — React auto-escapes; CSP headers on nginx
|
|
4. **CSRF** — SameSite=Strict cookies + Bearer tokens
|
|
5. **DDoS** — Cloudflare proxy in front
|
|
6. **Supply chain** — renovate keeps deps updated; pip-audit weekly
|
|
|
|
## Secrets
|
|
|
|
**Storage**: gopass (`rmi/pryscraper/*`)
|
|
|
|
**Loading**:
|
|
- Local dev: `.env` file (gitignored)
|
|
- Production: docker `--env-file`, systemd `EnvironmentFile`
|
|
|
|
**Rotation**:
|
|
- API tokens: quarterly
|
|
- DB passwords: quarterly
|
|
- Signing keys: on personnel change
|
|
|
|
**Audit**: any secret leak triggers rotation within 1 hour.
|
|
|
|
## Authentication
|
|
- Bearer tokens for API
|
|
- OAuth2 (Telegram, etc) for user-facing bots
|
|
- x402 micropayments for paid endpoints (signing via Solana/EVM wallet)
|
|
|
|
## Authorization
|
|
- RBAC for admin endpoints
|
|
- Rate limiting per IP/token (sliding window)
|
|
- Admin endpoints require `cfg.admin_key` check
|
|
|
|
## Input Validation
|
|
- Pydantic models for ALL API inputs (no `dict`/`any` types)
|
|
- Length limits, regex validation, enum constraints
|
|
- Reject any input containing mainnet addresses/keys (pre-commit hook)
|
|
|
|
## Rate Limiting
|
|
- Default: 60 req/min per IP
|
|
- Burst: 100 req
|
|
- Authenticated: 600 req/min
|
|
- Returns 429 with `Retry-After` header
|
|
|
|
## Dependencies
|
|
- `pip-audit` weekly (CI)
|
|
- `safety check` weekly (CI)
|
|
- Renovate bot for auto-PR updates
|
|
|
|
## Vulnerability Disclosure
|
|
Email: security@rugmunch.io (PGP key in gopass)
|
|
Response within 24 hours.
|
|
Patch within 7 days for critical, 30 days for medium.
|
|
|
|
## Audit Log
|
|
Every state-changing action logged to:
|
|
- `app/state/audit/` (JSONL, append-only)
|
|
- ClickHouse (analytics, 90-day retention)
|
|
- WORM storage (R2 with object lock, 7-year retention)
|
|
|
|
## Incident Response
|
|
1. Detect (alert from monitoring)
|
|
2. Contain (revoke compromised secrets, block IPs)
|
|
3. Eradicate (patch vuln, deploy fix)
|
|
4. Recover (verify systems clean, restore from backup if needed)
|
|
5. Learn (post-mortem, update SECURITY.md)
|