-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some Security considerations + docker size #62
Comments
I will look into the multistage build; I was not aware of this. Is this why you said it was "somewhat" lightweight, or do you see other things that can be optimized? I agree with your point on adding admin privileges to an account; I see that as a better implementation. This would require a larger refactor, so is probably a ways out before I can get to it. |
By lightweight i meant that in theory, after the frontend is built it could be embeded it into the golang binary as 1 executable using the https://pkg.go.dev/embed package. This could make it that you can actually release the binaries instead of using docker, and integrating the binary directly into an alpine/slim debian docker for people who want to use docker. See also point 3. I found another pretty big security issue, the admin token is sent as a GET parameter which has a few issues
I played around with the app via a local docker instance which was reverse proxied with SSH to a subdomain.
|
Firstly, thanks for your review of the project! I really appreciate your time and knowledge. Thanks for the go package suggestion. I'll need to figure out how to do that, but it seems like a great way to make this project more accessible. As to your other points:
|
Hi
Project sounds interesting. I love that it's lightweight (somewhat) and that it can run on a RPI. i've been searching for something like this built in GO for a while.
Some security considerations, i didn't do a full audit or exploration (seems to avoid basic XSS at the moment)
Wouldn't it be better to somehow obfuscate the admin page/button? And instead use an admin user which is generated and chosen BY the user upon init. This will avoid brute force attacks.
As for the docker, you could use a multistage build. This will make the docker size smaller and will only copy the resulted binary and website instead of the whole sourcecode and nodejs libs which are probably not usefull.
https://docs.docker.com/build/building/multi-stage/
Nice job!
The text was updated successfully, but these errors were encountered: