From a3721b69ce2cd2be9991c010894fa8cb95f48eb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Michaud?= Date: Thu, 23 Apr 2020 22:59:04 +0200 Subject: [PATCH] Add mention about TLS support in threat model. (#907) * Add mention about TLS support in threat model. * Try to fix title rendering. --- docs/security/threat-model.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/security/threat-model.md b/docs/security/threat-model.md index a9f5fa684..c11a934d5 100644 --- a/docs/security/threat-model.md +++ b/docs/security/threat-model.md @@ -5,17 +5,20 @@ parent: Security nav_order: 2 --- + # Threat Model The design goals for Authelia is to protect access to applications by collaborating with reverse proxies to prevent attacks coming from the edge of the network. This document gives an overview of what Authelia is protecting against but some of those points are also detailed in [Security Measures](./security/measures.md). + ## General assumptions Authelia is considered to be running within a trusted network and it heavily relies on the first level of security provided by reverse proxies. It's very important that you take time configuring your reverse proxy properly to get all the authentication benefits brought by Authelia. Some general security tweaks are listed in [Security Measures](./security/measures.md) to give you some ideas. + ## Guarantees If properly configured, Authelia guarantees the following for security of your users and your apps: @@ -27,6 +30,8 @@ If properly configured, Authelia guarantees the following for security of your u * Identity validation is required for performing administrative actions such as registering 2FA devices, preventing attackers to pass second factor by auto-registering their own 2FA device. An email with a link is sent to the user and a click is required to confirm the action. * Prevention against session fixation by regenerating a new session after each privilege elevation. * Prevention against LDAP injection by following OWASP recommendations regarding valid input characters (https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html). +* Connections between Authelia and thirdparty components like mail server, database, cache and LDAP server can be made over TLS to protect against man-in-the-middle attacks from within the infrastructure. + ## Potential future guarantees