Fix broken link in threat model. (#908)

pull/906/head
Clément Michaud 2020-04-23 23:18:16 +02:00 committed by GitHub
parent a3721b69ce
commit 1b8dccb806
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 9 deletions

View File

@ -5,21 +5,18 @@ parent: Security
nav_order: 2 nav_order: 2
--- ---
# Threat Model # Threat Model
The design goals for Authelia is to protect access to applications by collaborating with reverse proxies to prevent The design goals for Authelia is to protect access to applications by collaborating with reverse proxies to prevent
attacks coming from the edge of the network. This document gives an overview of what Authelia is protecting against but some attacks coming from the edge of the network. This document gives an overview of what Authelia is protecting against but some
of those points are also detailed in [Security Measures](./security/measures.md). of those points are also detailed in [Security Measures](./measures.md).
## General assumptions
## General assumptions
Authelia is considered to be running within a trusted network and it heavily relies on the first level of security provided by reverse proxies. It's very important that you take time configuring your reverse proxy properly to get all the authentication benefits brought by Authelia. Authelia is considered to be running within a trusted network and it heavily relies on the first level of security provided by reverse proxies. It's very important that you take time configuring your reverse proxy properly to get all the authentication benefits brought by Authelia.
Some general security tweaks are listed in [Security Measures](./security/measures.md) to give you some ideas. Some general security tweaks are listed in [Security Measures](./measures.md) to give you some ideas.
## Guarantees
## Guarantees
If properly configured, Authelia guarantees the following for security of your users and your apps: If properly configured, Authelia guarantees the following for security of your users and your apps:
@ -32,7 +29,6 @@ If properly configured, Authelia guarantees the following for security of your u
* Prevention against LDAP injection by following OWASP recommendations regarding valid input characters (https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html). * Prevention against LDAP injection by following OWASP recommendations regarding valid input characters (https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).
* Connections between Authelia and thirdparty components like mail server, database, cache and LDAP server can be made over TLS to protect against man-in-the-middle attacks from within the infrastructure. * Connections between Authelia and thirdparty components like mail server, database, cache and LDAP server can be made over TLS to protect against man-in-the-middle attacks from within the infrastructure.
## Potential future guarantees ## Potential future guarantees
* Define and enforce a password policy (to be designed since such a policy can clash with a policy set by the LDAP server). * Define and enforce a password policy (to be designed since such a policy can clash with a policy set by the LDAP server).
@ -43,7 +39,6 @@ If properly configured, Authelia guarantees the following for security of your u
* Protect secrets stored in DB with encryption to prevent secrets leak by DB exfiltration. * Protect secrets stored in DB with encryption to prevent secrets leak by DB exfiltration.
* Least privilege on LDAP binding operations (currently administrative user is used to bind while it could be anonymous). * Least privilege on LDAP binding operations (currently administrative user is used to bind while it could be anonymous).
## Trusted environment ## Trusted environment
It's important to note that Authelia is considered running in a trusted environment for two reasons It's important to note that Authelia is considered running in a trusted environment for two reasons