authelia/docs/security.md

# Security

## Protection against cookie theft

Authelia uses two mechanisms to protect against cookie theft:
1. session attribute `httpOnly` set to true make client-side code unable to
read the cookie.
2. session attribute `secure` ensure the cookie will never be sent over an
insecure HTTP connections.

## Protection against multi-domain cookie attacks

Since Authelia uses multi-domain cookies to perform single sign-on, an
attacker who poisoned a user's DNS cache can easily retrieve the user's
cookies by making the user send a request to one of the attacker's IPs.

To mitigate this risk, it's advisable to only use HTTPS connections with valid
certificates and enforce it with HTTP Strict Transport Security ([HSTS]) so
that the attacker must also require the certificate to retrieve the cookies.

Note that using [HSTS] has consequences. That's why you should read the blog
post nginx has written on [HSTS].

## Notifier security measures (SMTP)

By default the SMTP Notifier implementation does not allow connections that are not secure.
As such all connections require the following:

1. STARTTLS before authentication or sending emails (unauthenticated connections 
require it as well)
2. Valid X509 Certificate presented to the client during the STARTTLS handshake

There is an option to disable both of these security measures however they are
not recommended. You should only do this in a situation where you control all 
networks between Authelia and the SMTP server. The following configuration options
exist to configure the security level:

### Configuration Option: disable_verify_cert

This is a YAML boolean type (true/false, y/n, 1/0, etc). This disables the X509 PKI
verification mechanism. We recommend using the trusted_cert option over this, as 
disabling this security feature makes you vulnerable to MITM attacks.

### Configuration Option: disable_require_tls

This is a YAML boolean type (true/false, y/n, 1/0, etc). This disables the 
requirement that all connections must be over TLS. This is only usable currently
with authentication disabled (comment the password) and as such is only an
option for SMTP servers that allow unauthenticated relay (bad practice).

### Configuration Option: trusted_cert
This is a YAML string type. This specifies the file location of a pub certificate
that can be used to validate the authenticity of a server with a self signed
certificate. This can either be the public cert of the certificate authority
used to sign the certificate or the public key itself. They must be in the PEM
format. The certificate is added in addition to the certificates trusted by the 
host machine. If the certificate is invalid, inaccessible, or is otherwise not 
configured; Authelia just uses the hosts certificates.

### Explanation
There are a few reasons for the security measures implemented:
1. Transmitting username's and passwords over plain-text is an obvious vulnerability
2. The emails generated by Authelia, if transmitted in plain-text could allow
an attacker to intercept a link used to setup 2FA; which reduces security
3. Not validating the identity of the server allows man-in-the-middle attacks

## More protections measures with Nginx

You can also apply the following headers to your nginx configuration for
improving security. Please read the documentation of those headers before
applying them blindly.

```
# We don't want any credentials / TOTP secret key / QR code to be cached by
# the client
add_header Cache-Control "no-store";
add_header Pragma "no-cache";

# Clickjacking / XSS protection

# We don't want Authelia's login page to be rendered within a <frame>, 
# <iframe> or <object> from an external website.
add_header X-Frame-Options "SAMEORIGIN";

# Block pages from loading when they detect reflected XSS attacks.
add_header X-XSS-Protection "1; mode=block";
```

## Contributing

If you find possible vulnerabilities or threats, do not hesitate to contribute
either by writing a test case demonstrating the possible attack and if
possible some solutions to prevent it or submit a PR.

[HSTS]: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
-												Refactor README into several documents unders docs directory. (#265)


											
										
										
											2018-08-26 21:46:15 +00:00
+								# Security
 								## Protection against cookie theft
-												Update README and documentation to close refactoring.

											
										
										
											2019-12-05 20:52:04 +00:00
+								Authelia uses two mechanisms to protect against cookie theft:
-												Refactor README into several documents unders docs directory. (#265)


											
										
										
											2018-08-26 21:46:15 +00:00
+. session attribute `httpOnly` set to true make client-side code unable to
 								read the cookie.
 . session attribute `secure` ensure the cookie will never be sent over an
-												Misc Spelling Corrections

- Mostly changes to spelling of comments/docs/displayed text
- A few changes to test function names

											
										
										
											2020-01-21 00:10:00 +00:00
+								insecure HTTP connections.
-												Refactor README into several documents unders docs directory. (#265)


											
										
										
											2018-08-26 21:46:15 +00:00
 								## Protection against multi-domain cookie attacks
 								Since Authelia uses multi-domain cookies to perform single sign-on, an
-												Misc Spelling Corrections

- Mostly changes to spelling of comments/docs/displayed text
- A few changes to test function names

											
										
										
											2020-01-21 00:10:00 +00:00
+								attacker who poisoned a user's DNS cache can easily retrieve the user's
-												Refactor README into several documents unders docs directory. (#265)


											
										
										
											2018-08-26 21:46:15 +00:00
+								cookies by making the user send a request to one of the attacker's IPs.
 								To mitigate this risk, it's advisable to only use HTTPS connections with valid
 								certificates and enforce it with HTTP Strict Transport Security ([HSTS]) so
 								that the attacker must also require the certificate to retrieve the cookies.
 								Note that using [HSTS] has consequences. That's why you should read the blog
 								post nginx has written on [HSTS].
-												Force TLS and valid x509 certs in SMTP Notifier by default

- Adjust AUTH LOGIN functionality to be closer to AUTH PLAIN
- Removed: secure (notifier smtp conf) boolean string
- Added: disable_verify_cert (notifier smtp conf) boolean
    - disables X509 validation of certificates
- Added: disable_require_tls (notifier smtp conf) boolean
    - allows emails to be sent over plain text (for non-authenticated only)
- Added: trusted_cert (notifier smtp conf) string (path)
    - allows specifying the path of a PEM format cert to add to trusted cert pool
- Make SMTP notifier return errors on connection over plain text
- Make SMTP notifier return errors on TLS connection with invalid certs
- Implemented various debug logging for the SMTP notifier
- Implemented explicit SMTP closes on errors (previously left con open)
- Split SMTPNotifier Send func to seperate funcs for:
    - writing future test suites and startup checks more easily
    - organization and readability
- Add details of changes to docs/security.yml
- Adjust config.yml's (template and test) for the changes

											
										
										
											2019-12-30 02:03:51 +00:00
+								## Notifier security measures (SMTP)
 								By default the SMTP Notifier implementation does not allow connections that are not secure.
 								As such all connections require the following:
 . STARTTLS before authentication or sending emails (unauthenticated connections
 								require it as well)
 . Valid X509 Certificate presented to the client during the STARTTLS handshake
 								There is an option to disable both of these security measures however they are
 								not recommended. You should only do this in a situation where you control all
 								networks between Authelia and the SMTP server. The following configuration options
 								exist to configure the security level:
 								### Configuration Option: disable_verify_cert
 								This is a YAML boolean type (true/false, y/n, 1/0, etc). This disables the X509 PKI
 								verification mechanism. We recommend using the trusted_cert option over this, as
 								disabling this security feature makes you vulnerable to MITM attacks.
 								### Configuration Option: disable_require_tls
 								This is a YAML boolean type (true/false, y/n, 1/0, etc). This disables the
 								requirement that all connections must be over TLS. This is only usable currently
 								with authentication disabled (comment the password) and as such is only an
 								option for SMTP servers that allow unauthenticated relay (bad practice).
 								### Configuration Option: trusted_cert
 								This is a YAML string type. This specifies the file location of a pub certificate
 								that can be used to validate the authenticity of a server with a self signed
 								certificate. This can either be the public cert of the certificate authority
 								used to sign the certificate or the public key itself. They must be in the PEM
 								format. The certificate is added in addition to the certificates trusted by the
-												Misc Spelling Corrections

- Mostly changes to spelling of comments/docs/displayed text
- A few changes to test function names

											
										
										
											2020-01-21 00:10:00 +00:00
+								host machine. If the certificate is invalid, inaccessible, or is otherwise not
-												Force TLS and valid x509 certs in SMTP Notifier by default

- Adjust AUTH LOGIN functionality to be closer to AUTH PLAIN
- Removed: secure (notifier smtp conf) boolean string
- Added: disable_verify_cert (notifier smtp conf) boolean
    - disables X509 validation of certificates
- Added: disable_require_tls (notifier smtp conf) boolean
    - allows emails to be sent over plain text (for non-authenticated only)
- Added: trusted_cert (notifier smtp conf) string (path)
    - allows specifying the path of a PEM format cert to add to trusted cert pool
- Make SMTP notifier return errors on connection over plain text
- Make SMTP notifier return errors on TLS connection with invalid certs
- Implemented various debug logging for the SMTP notifier
- Implemented explicit SMTP closes on errors (previously left con open)
- Split SMTPNotifier Send func to seperate funcs for:
    - writing future test suites and startup checks more easily
    - organization and readability
- Add details of changes to docs/security.yml
- Adjust config.yml's (template and test) for the changes

											
										
										
											2019-12-30 02:03:51 +00:00
+								configured; Authelia just uses the hosts certificates.
 								### Explanation
 								There are a few reasons for the security measures implemented:
-												Misc Spelling Corrections

- Mostly changes to spelling of comments/docs/displayed text
- A few changes to test function names

											
										
										
											2020-01-21 00:10:00 +00:00
+. Transmitting username's and passwords over plain-text is an obvious vulnerability
-												Force TLS and valid x509 certs in SMTP Notifier by default

- Adjust AUTH LOGIN functionality to be closer to AUTH PLAIN
- Removed: secure (notifier smtp conf) boolean string
- Added: disable_verify_cert (notifier smtp conf) boolean
    - disables X509 validation of certificates
- Added: disable_require_tls (notifier smtp conf) boolean
    - allows emails to be sent over plain text (for non-authenticated only)
- Added: trusted_cert (notifier smtp conf) string (path)
    - allows specifying the path of a PEM format cert to add to trusted cert pool
- Make SMTP notifier return errors on connection over plain text
- Make SMTP notifier return errors on TLS connection with invalid certs
- Implemented various debug logging for the SMTP notifier
- Implemented explicit SMTP closes on errors (previously left con open)
- Split SMTPNotifier Send func to seperate funcs for:
    - writing future test suites and startup checks more easily
    - organization and readability
- Add details of changes to docs/security.yml
- Adjust config.yml's (template and test) for the changes

											
										
										
											2019-12-30 02:03:51 +00:00
+. The emails generated by Authelia, if transmitted in plain-text could allow
 								an attacker to intercept a link used to setup 2FA; which reduces security
 . Not validating the identity of the server allows man-in-the-middle attacks
-												Refactor README into several documents unders docs directory. (#265)


											
										
										
											2018-08-26 21:46:15 +00:00
+								## More protections measures with Nginx
 								You can also apply the following headers to your nginx configuration for
 								improving security. Please read the documentation of those headers before
 								applying them blindly.
 								```
 								# We don't want any credentials / TOTP secret key / QR code to be cached by
 								# the client
 								add_header Cache-Control "no-store";
 								add_header Pragma "no-cache";
 								# Clickjacking / XSS protection
 								# We don't want Authelia's login page to be rendered within a <frame>,
 								# <iframe> or <object> from an external website.
 								add_header X-Frame-Options "SAMEORIGIN";
 								# Block pages from loading when they detect reflected XSS attacks.
 								add_header X-XSS-Protection "1; mode=block";
 								```
 								## Contributing
 								If you find possible vulnerabilities or threats, do not hesitate to contribute
 								either by writing a test case demonstrating the possible attack and if
 								possible some solutions to prevent it or submit a PR.
 								[HSTS]: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/