diff --git a/docs/security/threat-model.md b/docs/security/threat-model.md index c11a934d5..5c553bd27 100644 --- a/docs/security/threat-model.md +++ b/docs/security/threat-model.md @@ -5,21 +5,18 @@ parent: Security nav_order: 2 --- - # Threat Model The design goals for Authelia is to protect access to applications by collaborating with reverse proxies to prevent attacks coming from the edge of the network. This document gives an overview of what Authelia is protecting against but some -of those points are also detailed in [Security Measures](./security/measures.md). +of those points are also detailed in [Security Measures](./measures.md). - -## General assumptions +## General assumptions Authelia is considered to be running within a trusted network and it heavily relies on the first level of security provided by reverse proxies. It's very important that you take time configuring your reverse proxy properly to get all the authentication benefits brought by Authelia. -Some general security tweaks are listed in [Security Measures](./security/measures.md) to give you some ideas. +Some general security tweaks are listed in [Security Measures](./measures.md) to give you some ideas. - -## Guarantees +## Guarantees If properly configured, Authelia guarantees the following for security of your users and your apps: @@ -32,7 +29,6 @@ If properly configured, Authelia guarantees the following for security of your u * Prevention against LDAP injection by following OWASP recommendations regarding valid input characters (https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html). * Connections between Authelia and thirdparty components like mail server, database, cache and LDAP server can be made over TLS to protect against man-in-the-middle attacks from within the infrastructure. - ## Potential future guarantees * Define and enforce a password policy (to be designed since such a policy can clash with a policy set by the LDAP server). @@ -43,7 +39,6 @@ If properly configured, Authelia guarantees the following for security of your u * Protect secrets stored in DB with encryption to prevent secrets leak by DB exfiltration. * Least privilege on LDAP binding operations (currently administrative user is used to bind while it could be anonymous). - ## Trusted environment It's important to note that Authelia is considered running in a trusted environment for two reasons