mporwoll/documentation
1
0
Fork 0
mirror of https://github.com/complexcaresolutions/documentation.git synced 2026-03-17 16:23:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
documentation/security/SECURITY.md

143 lines
4.3 KiB
Markdown
Raw Permalink Blame History

# Security-Richtlinien - Payload CMS Multi-Tenant
> Letzte Aktualisierung: 29.12.2025
## Übersicht
| Umgebung | URL | TRUST_PROXY |
|----------|-----|-------------|
| Production | https://cms.c2sgmbh.de | `true` (Nginx) |
| Staging | https://pl.porwoll.tech | `true` (Caddy) |
---
## Security-Module
Alle Security-Funktionen in `src/lib/security/`:
| Modul | Datei | Zweck |
|-------|-------|-------|
| Rate Limiter | `rate-limiter.ts` | Schutz vor API-Missbrauch |
| IP Allowlist | `ip-allowlist.ts` | IP-basierte Zugriffskontrolle |
| CSRF Protection | `csrf.ts` | Cross-Site Request Forgery Schutz |
| Data Masking | `data-masking.ts` | Sensitive Daten in Logs maskieren |
### Rate Limiter
| Name | Limit | Fenster | Verwendung |
|------|-------|---------|------------|
| `publicApiLimiter` | 60 Requests | 1 Minute | Öffentliche API |
| `authLimiter` | 5 Requests | 15 Minuten | Login-Versuche |
| `emailLimiter` | 10 Requests | 1 Minute | E-Mail-Versand |
| `searchLimiter` | 30 Requests | 1 Minute | Suche & Posts-API |
| `formLimiter` | 5 Requests | 10 Minuten | Formular-Submissions |
Redis-Support: Automatischer Fallback auf In-Memory-Store.
### IP Allowlist/Blocklist
> **WICHTIG:** Hinter Reverse-Proxy (Caddy, Nginx) MUSS `TRUST_PROXY=true` gesetzt werden!
| Variable | Zweck | Format |
|----------|-------|--------|
| `TRUST_PROXY` | Proxy-Header vertrauen | `true` oder leer |
| `BLOCKED_IPS` | Globale Blocklist | IP, CIDR, Wildcard |
| `SEND_EMAIL_ALLOWED_IPS` | E-Mail-Endpoint | IP, CIDR, Wildcard |
| `ADMIN_ALLOWED_IPS` | Admin-Panel | IP, CIDR, Wildcard |
| `WEBHOOK_ALLOWED_IPS` | Webhook-Endpoint | IP, CIDR, Wildcard |
### CSRF Protection
Pattern: Double Submit Cookie
Token-Endpoint: `GET /api/csrf-token`
> **WICHTIG:** In Production MUSS `CSRF_SECRET` oder `PAYLOAD_SECRET` konfiguriert sein.
### Data Masking
Automatisch maskierte Felder: password, token, apiKey, secret, credentials, privateKey, smtpPassword
---
## Pre-Commit Hook
```bash
ln -sf ../../scripts/detect-secrets.sh .git/hooks/pre-commit
```
Erkannte Patterns: API Keys, AWS Credentials, Private Keys, Passwörter, SMTP, DB Connection Strings, JWT, Webhook URLs.
---
## CI/CD Security
| Job | Prüfung |
|-----|--------|
| `secrets` | Gitleaks Secret Scanning |
| `dependencies` | npm audit, Dependency Check |
| `codeql` | Static Code Analysis |
| `security-tests` | 177 Security Unit & Integration Tests |
---
## Test Suite
```bash
pnpm test:security # Alle Security-Tests
pnpm test:unit # Nur Unit-Tests
```
| Test-Datei | Tests | Bereich |
|------------|-------|---------|
| `rate-limiter.unit.spec.ts` | 24 | Limiter, Tracking, TRUST_PROXY |
| `csrf.unit.spec.ts` | 34 | Token, Validierung, Origin |
| `ip-allowlist.unit.spec.ts` | 35 | CIDR, Wildcards, TRUST_PROXY |
| `data-masking.unit.spec.ts` | 41 | Felder, Patterns, Rekursion |
| `security-api.int.spec.ts` | 33 | API-Integration |
---
## Production Checklist
- [ ] `TRUST_PROXY=true` setzen (Pflicht hinter Reverse-Proxy)
- [ ] `CSRF_SECRET` oder `PAYLOAD_SECRET` setzen
- [ ] `BLOCKED_IPS` für bekannte Angreifer
- [ ] `SEND_EMAIL_ALLOWED_IPS` auf vertrauenswürdige IPs
- [ ] `ADMIN_ALLOWED_IPS` auf Office/VPN-IPs
- [ ] Redis für verteiltes Rate Limiting
- [ ] Pre-Commit Hook aktivieren
---
## Custom Login Route
Audit-Logging, Rate-Limiting (5/15min), Browser-Redirect, Multi-Content-Type Support.
Redirect-Validierung: Nur relative Pfade, externe URLs blockiert, Protocol-Handler abgelehnt.
---
## Dateien
| Pfad | Beschreibung |
|------|-------------|
| `src/lib/security/rate-limiter.ts` | Rate Limiting |
| `src/lib/security/ip-allowlist.ts` | IP-Zugriffskontrolle |
| `src/lib/security/csrf.ts` | CSRF Token |
| `src/lib/security/data-masking.ts` | Data Masking |
| `src/app/(payload)/api/users/login/route.ts` | Custom Login |
| `scripts/detect-secrets.sh` | Pre-Commit Detection |
| `.github/workflows/security.yml` | CI Security |
| `tests/unit/security/` | Unit Tests |
| `tests/int/security-api.int.spec.ts` | Integration Tests |
---
## Änderungshistorie
| Datum | Änderung |
|-------|----------|
| 29.12.2025 | Custom Login Page Abschnitt entfernt |
| 17.12.2025 | Security-Audit Fixes: TRUST_PROXY, CSRF_SECRET, Tests auf 177 erweitert |
| 08.12.2025 | Security Test Suite (143 Tests) |
| 07.12.2025 | Rate Limiter, CSRF, IP Allowlist, Data Masking |
Reference in a new issue View git blame Copy permalink