SECURITY_UPGRADE_PRIVATE.md (2973B)
1 # PRIVATE: Security Upgrade Plan (Core) 2 3 Last updated: 2026-02-22 4 5 This document is for internal planning and prioritization. 6 7 ## Scope 8 9 Core server and first-party client: 10 - `server.js` 11 - `public/app.js` 12 - auth/session, plugin loading, WebSocket abuse controls, upload surface, role controls 13 14 ## Risk priorities 15 16 ### P0 (immediate) 17 18 1. Tighten plugin trust boundary 19 - Move plugin install/enable/uninstall/reload from moderator to admin/owner. 20 - Add plugin signing + trusted publisher checks. 21 - Add optional `PLUGIN_INSTALL_DISABLED=1` hard lock for production. 22 23 2. Add message flood controls 24 - Add rate limits for: 25 - `newPost` 26 - `chatMessage` 27 - `dmSend` 28 - `dmSendMod` 29 - Include server-side hard caps + backoff events. 30 31 3. Raise password baseline 32 - Increase minimum from 4 to 10+. 33 - Add optional strong policy mode (length + complexity). 34 - Add migration note for existing instances. 35 36 ### P1 (near-term) 37 38 4. Move session storage out of `localStorage` 39 - Switch to secure session cookies: 40 - `HttpOnly` 41 - `Secure` 42 - `SameSite=Lax` (or `Strict` if compatible) 43 - Keep token rotation and invalidation. 44 45 5. WebSocket origin + payload hardening 46 - Add explicit origin allowlist env (`WS_ORIGIN_ALLOWLIST`). 47 - Reject unknown origins at WS handshake. 48 - Set explicit WS max payload and close on overflow. 49 50 6. TURN credential hardening 51 - Move from static TURN credentials to short-lived credentials. 52 - Add relay abuse monitoring and quotas. 53 54 ### P2 (mid-term) 55 56 7. Security headers and deployment defaults 57 - Add HSTS when HTTPS is confirmed. 58 - Re-check CSP for least privilege after plugin API updates. 59 60 8. Audit and tamper logging 61 - Security log stream for: 62 - role changes 63 - plugin install/uninstall 64 - repeated failed auth 65 - unusual upload spikes 66 67 9. Safe plugin execution model 68 - Evaluate plugin sandbox strategy: 69 - isolate process 70 - permission-gated API 71 - no raw filesystem/process access by default 72 73 ## New role model update (current change) 74 75 Added base role: 76 - `admin` (between `moderator` and `owner`) 77 78 Intent: 79 - Admin can manage plugins and access owner-level views. 80 - Owner remains final authority for destructive or ownership-sensitive operations. 81 82 ## Implementation checkpoints 83 84 ### Phase A (this release train) 85 - [x] Add `admin` role in core role hierarchy. 86 - [x] Restrict plugin management to admin/owner. 87 - [ ] Add RL buckets for post/chat/dm sends. 88 89 ### Phase B 90 - [ ] Cookie-based session migration. 91 - [ ] WS origin allowlist. 92 - [ ] WS payload limit hard cap. 93 94 ### Phase C 95 - [ ] Plugin signing and trust policy. 96 - [ ] Optional plugin sandbox architecture draft. 97 98 ## Validation checklist per phase 99 100 - Unit/smoke test auth flows. 101 - Verify moderation matrix (member/mod/admin/owner). 102 - Load test chat + DM flood controls. 103 - Confirm plugin lifecycle still works for admin/owner only. 104 - Verify no regression in mobile/desktop UX around auth and chat. 105