Merge pull request #69 from gurucomputing/68-add-securitymd-documenta…

…tion added SECURITY.md
gurucomputing · Oct 12, 2022 · f9468ef · f9468ef
2 parents 3792920 + de3f3e7
commit f9468ef
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,12 @@
+### Authentication and Authorization
+In the current client-only format, the headscale API secret is stored within the browser's `localStorage` area. While `localStorage` is not an ideal location for secrets storage, it is currently the *only* possible method of securing data to a browser without some sort of backend facilitation.
+
+What this means to *you* is that your API credentials are tied to your browser profile. If you open an incognito window or another browser profile, your API key will *not* carry across.
+
+`localStorage` secrets have the possibility of being exploited by XSS. This exploitation avenue is mitigated by the static nature of the site: all pages are protected by a hashsum CSP (content security protection) that prevent modifying or adding javascript from other sources.
+
+The future state for `heascale-ui` is not to rely on `localStorage` at all, but due to the architecture, any other methods require tighter integration with the core `headscale` product. For now this is not on the headscale roadmap.
+
+## Vulnerability Disclosure
+
+If any method of bypassing or leaking the `localStorage` secrets is found, please contact myself directly at `chris@gurucomputing.com.au` rather than opening an issue.
diff --git a/documentation/architecture.md b/documentation/architecture.md
@@ -7,11 +7,6 @@ Headscale-UI uses the `static` adapter built into svelte-kit, meaning that sever
 ### Client Side Design
 All Headscale-UI features and functions should be client side only. *Any* backend features should be considered to be implemented in a separate backend. This can be the [Headscale](https://github.com/juanfont/headscale) application itself (preferred), or potentially implementing a Backend-as-a-Service API such as [Supabase](https://supabase.com/).
 
-### Authentication and Authorization
-In the current alpha format, the headscale API secret is stored within the browser's `localStorage` area. This method of credential storage is not ideal as localStorage can potentially be exploited by XSS (cross-site scripting) vulnerabilities. The long term goal is to integrate Headscale-UI into Headscale's OIDC authentication capabilities, but discovery is required to implement this feature (as well as cooperation from the upstream project).
-
-For now, it is recommended that credentials only be saved on trusted computers and to use short API key expiries where possible.
-
 ## Dependencies
 Dependencies are kept to a minimum and kept to large, actively maintained repositories. Great care should be taken before suggesting or adding any additional dependencies: headscale is a sensitive tool and attack surfaces must be kept minimal.