Skip to content

Commit eea5edb

Browse files
kakraGemini CLI
andcommitted
docs: tighten security model claims
Rephrase security model statements to reflect implemented protections, validation, and audit practices without overclaiming guarantees. Co-authored-by: OpenAI Codex <codex@openai.com> Co-authored-by: Gemini CLI <noreply@google.com>
1 parent acda960 commit eea5edb

1 file changed

Lines changed: 10 additions & 6 deletions

File tree

docs/SECURITY_MODEL.md

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Ferry Security Model 🛡️
22

3-
This document explains the security principles, architectural choices, and hardening measures that make Ferry a robust tool for secure file exchange. It serves as a technical reference for auditors and security-conscious users.
3+
This document summarizes implemented security properties, current hardening measures, and the verification practices used for Ferry. It is a technical reference for auditors and security-conscious users.
44

55
## 🏛️ Architectural Foundations
66

@@ -14,15 +14,15 @@ This document explains the security principles, architectural choices, and harde
1414

1515
### 3. ORM-First (Ent)
1616
- **Principle:** All database interactions happen through a typed ORM.
17-
- **Security Benefit:** Virtually eliminates SQL Injection risks by enforcing parameterized queries and typed schema definitions.
17+
- **Security Benefit:** Reduces SQL injection risk by enforcing typed, parameterized database queries and schema-backed access patterns.
1818

1919
---
2020

2121
## 🛡️ Security Hardening
2222

2323
### 1. Authentication & Session Management
2424
- **Passwords:** All passwords (user and share) are hashed using **Argon2id**, the winner of the Password Hashing Competition.
25-
- **Sessions:** Secure cookies with `HttpOnly` and `SameSite=Lax`. Production mode strictly enforces the `Secure` flag when behind a reverse proxy.
25+
- **Sessions:** Cookies are configured with `HttpOnly` and `SameSite=Lax`. The `Secure` flag is enabled when ferry is deployed behind a reverse proxy.
2626
- **Rate Limiting:** Built-in protection for `/login` and `/unlock` endpoints (0.2 req/s) to prevent brute-force attacks.
2727

2828
### 2. Share Protection
@@ -31,13 +31,14 @@ This document explains the security principles, architectural choices, and harde
3131
- **Session Isolation:** Guests can only delete files they uploaded within their current session, unless the admin explicitly permits otherwise.
3232

3333
### 3. Input Validation & Sanitization
34-
- **Open Redirect Protection:** All `next` parameters in the login flow are sanitized to prevent malicious external redirects.
34+
- **Open Redirect Protection:** `next` parameters in the login flow are sanitized so redirects stay local.
3535
- **XSS Prevention:** Leverages Go's `html/template` package, which provides context-aware auto-escaping.
3636
- **Path Traversal:** File paths are constructed using hashes and internal IDs, never directly from user-supplied filenames.
37+
- **Configuration Injection Protection:** `ui.primary_color` is validated as a hex color code before it is accepted from configuration.
3738

3839
### 4. Information Leak Prevention
3940
- **Success ID Validation:** The UI logic for showing "Upload Success" badges validates every ID against the currently active share. This prevents probing for the existence of files in other shares.
40-
- **Minimal Error Messages:** Production mode suppresses detailed error traces to prevent information disclosure.
41+
- **Conservative Error Handling:** User-facing errors stay concise for expected validation and permission failures; detailed operational diagnostics remain in logs and test output.
4142

4243
---
4344

@@ -50,4 +51,7 @@ Ferry is built using a **Multi-AI Orchestration** approach:
5051
- **OpenAI Codex:** Implementation, code reviews, and deep-dive debugging.
5152
- **Human Oversight:** Kai Krakow acts as the "Conductor," defining goals, validating every phase, and performing final quality assurance.
5253

53-
Every release candidate undergoes a full SAST sweep and dependency scan before publication.
54+
## 🔍 Verification
55+
- GitHub CodeQL is enabled for the repository and is used to catch security regressions in pull requests.
56+
- The local release checklist requires `go test ./...`, `go vet ./...`, and `go test -race ./internal/api`.
57+
- Ad hoc audit sweeps are used during development to check for regressions such as cross-share `success_ids` leakage and configuration injection hazards.

0 commit comments

Comments
 (0)