mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
Add mention about TLS support in threat model. (#907)
* Add mention about TLS support in threat model. * Try to fix title rendering.
This commit is contained in:
parent
8917c98d65
commit
a3721b69ce
|
@ -5,17 +5,20 @@ parent: Security
|
|||
nav_order: 2
|
||||
---
|
||||
|
||||
|
||||
# Threat Model
|
||||
|
||||
The design goals for Authelia is to protect access to applications by collaborating with reverse proxies to prevent
|
||||
attacks coming from the edge of the network. This document gives an overview of what Authelia is protecting against but some
|
||||
of those points are also detailed in [Security Measures](./security/measures.md).
|
||||
|
||||
|
||||
## General assumptions
|
||||
|
||||
Authelia is considered to be running within a trusted network and it heavily relies on the first level of security provided by reverse proxies. It's very important that you take time configuring your reverse proxy properly to get all the authentication benefits brought by Authelia.
|
||||
Some general security tweaks are listed in [Security Measures](./security/measures.md) to give you some ideas.
|
||||
|
||||
|
||||
## Guarantees
|
||||
|
||||
If properly configured, Authelia guarantees the following for security of your users and your apps:
|
||||
|
@ -27,6 +30,8 @@ If properly configured, Authelia guarantees the following for security of your u
|
|||
* Identity validation is required for performing administrative actions such as registering 2FA devices, preventing attackers to pass second factor by auto-registering their own 2FA device. An email with a link is sent to the user and a click is required to confirm the action.
|
||||
* Prevention against session fixation by regenerating a new session after each privilege elevation.
|
||||
* Prevention against LDAP injection by following OWASP recommendations regarding valid input characters (https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).
|
||||
* Connections between Authelia and thirdparty components like mail server, database, cache and LDAP server can be made over TLS to protect against man-in-the-middle attacks from within the infrastructure.
|
||||
|
||||
|
||||
## Potential future guarantees
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user