From 3186535537f3d43d0a65a4f54015d26c8ed61ff0 Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 29 Jul 2013 16:25:28 +1000 Subject: [PATCH] initial draft of security document --- docs/SECURITY.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 docs/SECURITY.md diff --git a/docs/SECURITY.md b/docs/SECURITY.md new file mode 100644 index 00000000000..3091d9832da --- /dev/null +++ b/docs/SECURITY.md @@ -0,0 +1,52 @@ +##Discourse Security Guide + +The following guide covers security regarding your Discourse installation + +###Password Storage + +Discourse uses the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. There is an in-depth discussion about its merits in http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage. + +**options you can customise in your production.rb file** + +pbkdf2_algorithm: the hashing algorithm used (default "sha256") +pbkdf2_iterations: the number of iterations to run (default is: 64000) + + +### XSS + +The main vector for XSS attacks is via the "composer", as we allow users to generate rather rich markdown we need to protect against poison markdown. + +For the composer there are 2 main scenarios we protect against: + +1. Markdown preview invokes an XSS. This is severe cause an admin may edit a user's post and a malicious user may then run JavaScript in the context of an admin. + +2. Markdown displayed on the page invokes an XSS. + +To protect against client side "preview" XSS, Discourse uses Google Caja https://code.google.com/p/google-caja/ in the preview window. + +On the server side we run a whitelist based sanitizer, implemented using the Sanitize gem https://github.com/rgrove/sanitize see: https://github.com/discourse/discourse/blob/master/lib/pretty_text.rb + +In addition, titles and all other places where non-admins can enter code is protected either using the Handlebars library or standard Rails XSS protection. + +### CSRF + +CSRF allows malicious sites to perform HTTP requests pretending to be an end-user (without their knowledge) more at: http://en.wikipedia.org/wiki/Cross-site_request_forgery + +Discourse extends the built-in Rails CSRF protection in a couple of ways: + +1. By default any non GET requests ALWAYS require a valid CSRF token. If a CSRF token is missing Discourse will raise an exception. + +2. API calls using the secret API bypass CSRF checks + +3. Certain pages are "cachable", we do not render the CSRF token (`