You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use this issue as the standing progress tracker for application security, authentication, authorization, secrets, uploads/media, device flows, mobile security, and supply-chain hygiene.
Use the canonical reference map in the security practices guide for OWASP ASVS, OWASP MASVS, OWASP Cheat Sheet Series, and OpenSSF Scorecard references.
Current Baseline
OWASP ASVS Level 1 is the application-security baseline.
Selected ASVS Level 2 attention applies to authentication, authorization, uploads/media, device/WebSocket flows, secrets, admin APIs, and deployment.
OpenSSF Scorecard is advisory supply-chain monitoring, not a merge-blocking gate.
Security-sensitive changes should include a short threat-model note in the PR, issue, or docs.
In Progress / Needs Verification
Have a security expert or security-focused maintainer review current authentication, token, OAuth, and session implementation.
Verify token handling and session management end to end: access-token strategy, refresh-token rotation/revocation, cookie scope, logout behavior, Redis outage behavior, and dev/test fallback behavior.
Review OAuth implementation against provider best practices and document any remaining provider-specific gaps.
Review whether the remaining RPi camera local direct-access API-key path is acceptable alongside backend device assertions.
Review file/media access through mounted /uploads paths and decide whether authenticated file access is required before private content exists.
Review public/private schema usage and add safeguards or tests that prevent private read schemas from being used accidentally on public endpoints.
Run the first OpenSSF Scorecard workflow after merge and triage findings into follow-up issues.
Product And Access-Control Decisions
Decide whether organization roles need an explicit admin role, or whether owner/member plus platform superuser is enough.
Decide whether true many-to-many user/organization membership is needed; the current model supports one organization per user.
Complete or explicitly defer full admin CRUD for organization management beyond current superuser list/detail/delete routes.
Review organization-level access controls for products, files/images, data collection sessions, and cameras. Current product and media ownership is primarily user-scoped.
Implement or explicitly defer public/private visibility controls for products, images, and data collection sessions.
Decide whether server-level rate limiting belongs in Caddy/Nginx, or whether Cloudflare plus application rate limiting is sufficient.
Decide whether an external secrets manager such as Infisical is worth the operational complexity for this self-hosted deployment model.
OWASP Review Work
Build an attack-surface inventory for public routes, authenticated user routes, admin routes, device/plugin routes, WebSocket paths, uploads/media serving, OAuth callbacks, CI/CD workflows, deployment config, and backup paths.
Review file/media/device surfaces for upload validation, storage paths, generated media URLs, image processing, orphan cleanup, direct device uploads, RPi camera pairing/assertions, WebSocket relay behavior, outbound HTTP calls, SSRF exposure, and denial-of-service controls.
Review frontend-web/docs for XSS/DOM XSS risks, security headers, CSP/HSTS posture, privacy page alignment, public links/forms, and deployment behavior.
Review frontend-app against MASVS-relevant controls, including token storage, local storage, OAuth/browser handoff, API error handling, logging, transport assumptions, and whether TLS pinning is appropriate or intentionally out of scope.
Compare current controls to OWASP ASVS Level 1 expectations and selected Level 2 concerns for auth, authorization, uploads, device/WebSocket flows, secrets, admin APIs, and deployment.
Goal
Use this issue as the standing progress tracker for application security, authentication, authorization, secrets, uploads/media, device flows, mobile security, and supply-chain hygiene.
Use the canonical reference map in the security practices guide for OWASP ASVS, OWASP MASVS, OWASP Cheat Sheet Series, and OpenSSF Scorecard references.
Current Baseline
In Progress / Needs Verification
/uploadspaths and decide whether authenticated file access is required before private content exists.Product And Access-Control Decisions
adminrole, or whether owner/member plus platform superuser is enough.OWASP Review Work