Skip to content

Manager Webapp Security

Overview

The Manager Webapp is the central command center for PenLocal-AI. It implements a layered security model to protect sensitive operations and data.

graph TD
    User -->|"HTTPS (TLS 1.2+)"| Nginx
    Nginx -->|"Reverse Proxy"| Webapp

    subgraph "Application Layer"
        Webapp -->|"MFA & PBKDF2"| Auth["Authentication"]
        Webapp -->|"Fernet Encryption"| Crypto["Data Protection"]
        Webapp -->|"RBAC / Scopes"| ACL["Access Control"]
    end

    subgraph "Data Layer"
        Crypto -->|"Encrypted Data"| DB[(PostgreSQL)]
    end

Security Features

1. Transport Security

  • TLS/SSL: Enforced via Nginx ingress (webapp-proxy).
  • Modern Ciphers: Configured to use strong, modern cipher suites (TLS 1.2/1.3).
  • HSTS: strict-transport-security headers enabled.
  • Proxy Fix: Application is configured to trust X-Forwarded headers from the local proxy.

2. Strong Authentication

  • Password Policy: Enforces 24-character minimum password length.
  • Hashing: Uses PBKDF2 (Password-Based Key Derivation Function 2) with high iteration counts for password storage.
  • MFA: Time-based One-Time Password (TOTP) multi-factor authentication is required.

3. Data Protection (Encryption at Rest)

Sensitive data is never stored in plaintext. We utilize Fernet symmetric encryption for: - API Keys (Ollama, Qdrant, etc.) - Vulnerability details & Findings - Pentest target credentials - Report data

4. API Security

  • Authentication: Usage of X-Api-Key and X-Master-Key headers for machine-to-machine communication.
  • Access Control: Granular permission checks on each endpoint.
  • Rate Limiting: Implemented to prevent brute-force and DoS attacks.

5. Session Management

  • Cookies: All session cookies are flagged HttpOnly, Secure, and SameSite=Strict.
  • Lifetime: strict 4-hour session timeouts to reduce window of opportunity for hijacked sessions.

6. Application Hardening

  • Security Headers:
    • Content-Security-Policy (CSP)
    • X-Frame-Options: DENY
    • X-Content-Type-Options: nosniff
    • Referrer-Policy: strict-origin-when-cross-origin
  • Input Validation: Strict input filtering in both DOM (Frontend) and API (Backend) layers to prevent XSS and Injection attacks.
  • Privilege Separation: The application runs as a non-root appuser inside the Docker container with minimal filesystem permissions.