Skip to content

Security: seahop/Clio

Security

docs/security.md

Security Features

Clio implements multiple layers of security to protect sensitive red team operation data. This document outlines the key security features implemented throughout the application.

Authentication Security

Password Security

  • Strong Password Policy:

    • Minimum 12 characters
    • Must include uppercase and lowercase letters
    • Must include numbers
    • Must include special characters
    • Cannot be just letters followed by numbers
    • Cannot contain repeated characters (3 or more times)

  • Password Hashing:

    • Implemented using PBKDF2 with 310,000 iterations
    • 32-byte cryptographically secure salt per password
    • SHA-256 hash function

  • First Login Password Change:

    • Users must change their password on first login
    • Temporary passwords expire after first use

Session Management

  • JWT-based Authentication:

    • Signed JSON Web Tokens
    • Automatic refresh for tokens approaching expiration
    • Server instance verification to prevent token reuse across deployments

  • Redis-backed Session Store:

    • Sessions encrypted using AES-256-GCM
    • 8-hour session duration
    • Server-side session validation
    • Automatic cleanup of expired sessions

  • Admin Session Controls:

    • Force logout capabilities for all sessions
    • Active session monitoring and management
    • Session revocation for compromised accounts

API Security

  • API Key Authentication:

    • Secure API key generation with prefix and secret
    • Key hash verification (only hashes stored in database)
    • Per-key permission system with fine-grained access control
    • Automatic key rotation capabilities
    • Key expiration settings
    • Usage auditing and tracking

  • Rate Limiting:

    • Per-API key rate limiting to prevent abuse
    • Configurable limits for different endpoints
    • Automatic throttling for suspicious activity

Transport Security

  • TLS Encryption:

    • End-to-end encryption for all service communications
    • Strong cipher suites and TLS 1.2+ only
    • Self-signed or custom certificates with automatic setup
    • Perfect forward secrecy for all connections

  • Secure Headers:

    • Implemented via Helmet.js
    • Content Security Policy (CSP)
    • X-Content-Type-Options
    • X-Frame-Options
    • Strict-Transport-Security (HSTS)
    • Referrer-Policy enforcement

Data Security

  • Input Sanitization and Validation:

    • All user inputs sanitized to prevent injection attacks
    • Field-specific validation and sanitization rules
    • Protection against common injection patterns

  • CSRF Protection:

    • Unique CSRF tokens for each session
    • Double-submit cookie pattern
    • Token validation for all state-changing operations
    • CSRF bypass protection for API requests with separate authentication

  • Storage Security:

    • Redis data encrypted at rest
    • PostgreSQL data persistence with volume isolation
    • Evidence file protection with hash verification

Logging and Auditing

  • Comprehensive Event Logging:

    • All security events recorded
    • Authentication attempts tracked
    • API key usage logged
    • Admin actions audited
    • Log rotation and retention policies

  • Sensitive Data Handling:

    • Automatic redaction of sensitive information in logs
    • Secrets management and protection
    • Secure display and masking in UI

Secure Development Practices

  • Container Security:

    • Updated base images with security patches
    • Minimal container permissions
    • Internal network isolation
    • No unnecessary exposed ports

  • Dependency Management:

    • Regular updates for all dependencies
    • Vulnerability scanning integration
    • Patch management process

There aren't any published security advisories