generated from bisco/codex-bootstrap
feat: add wordpress site variant
This commit is contained in:
+29
-13
@@ -1,16 +1,32 @@
|
||||
# Security
|
||||
|
||||
Describe security assumptions and controls.
|
||||
- NGINX is the only published service. MariaDB is restricted to an internal network;
|
||||
WordPress is reachable only from NGINX and the database network.
|
||||
- Production startup rejects placeholder or short database passwords. `.env` is
|
||||
ignored and real secrets must come from the deployment secret manager.
|
||||
- WordPress uses its normal capability, nonce, authentication, cookie, and password
|
||||
controls. Theme settings sanitize input and templates escape output.
|
||||
- File editing is always disabled. Production also disables web-based core, theme, and
|
||||
plugin changes; patched images are rebuilt and redeployed instead.
|
||||
- XML-RPC and comments are disabled. NGINX blocks PHP execution below uploads, dotfiles,
|
||||
and direct `wp-config.php` requests, and rate-limits login/public requests. Public
|
||||
REST user enumeration and author archives are disabled.
|
||||
- Security headers include CSP, same-origin framing, content-type protection, a strict
|
||||
referrer policy, and a restrictive Permissions Policy. WordPress compatibility still
|
||||
requires inline style/script CSP allowances; do not treat this CSP as an XSS sanitizer.
|
||||
- Forwarded client/protocol headers are overwritten by default. Trust mode is permitted
|
||||
only behind a restricted load balancer that overwrites those headers.
|
||||
- Direct TLS is fail-closed until a certificate exists. Certbot has a read-only root,
|
||||
no Docker socket, dropped capabilities, and narrowly scoped volumes.
|
||||
- Containers are not privileged and do not use host networking or the Docker socket.
|
||||
WordPress/Apache retains the capabilities needed by the official image internally,
|
||||
but no WordPress port is published.
|
||||
- WordPress/Apache access logs are disabled to avoid duplicate client metadata and
|
||||
healthcheck noise; NGINX remains the single request log and PHP warnings/errors stay
|
||||
visible.
|
||||
- Admin MFA, an IP/VPN allowlist, SMTP, malware scanning, log aggregation, and a secret
|
||||
manager remain production operator responsibilities.
|
||||
- Backups and uploads can contain personal data. Encrypt, restrict, retain, and delete
|
||||
them according to the applicable privacy policy.
|
||||
|
||||
Include:
|
||||
|
||||
- authentication;
|
||||
- authorization;
|
||||
- network exposure;
|
||||
- TLS/certificates;
|
||||
- secrets management;
|
||||
- logging of sensitive data;
|
||||
- container privileges;
|
||||
- filesystem permissions;
|
||||
- dependency management;
|
||||
- relevant ADRs.
|
||||
See [ADR-0001](adr/0001-wordpress-single-page.md).
|
||||
|
||||
Reference in New Issue
Block a user