Shiloh/remnantchat
Shiloh/remnantchat
1
0
Fork 1
Code Issues Pull Requests Packages Projects 4 Releases Wiki Activity

Add Security Label to Security Report (#199)

Browse Source
This commit is contained in:
Audiosutras 2023-11-10 11:37:10 -05:00 committed by GitHub
parent 3a97ee2cbf
commit a3c7e93cdb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
.github/workflows/security.yml vendored
View File

@ -12,7 +12,7 @@ on:
workflow_dispatch:
jobs:
zap_scan: # https://github.com/zaproxy/action-full-scan
zap_scan:
runs-on: ubuntu-latest
name: Scan Production Site
steps:
@ -21,15 +21,25 @@ jobs:
run: |
echo "NOW=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
- name: Checkout Main Branch for .zap/rules.tsv
- name: Checkout Repo for .zap/rules.tsv
uses: actions/checkout@v4
with:
ref: 'main'
ref: main
- name: ZAP Scan
- name: ZAP Full Scan
# https://github.com/zaproxy/action-full-scan
uses: zaproxy/action-full-scan@v0.7.0
with:
target: 'https://chitchatter.im/'
rules_file_name: '.zap/rules.tsv'
issue_title: 'Security Report - ${{ steps.set-now.outputs.NOW }}'
artifact_name: 'zap_scan_${{ steps.set-now.outputs.NOW }}'
- name: Add Security Label to Security Report - ${{ steps.set-now.outputs.NOW }}
# https://github.com/actions-ecosystem/action-add-labels
uses: actions-ecosystem/action-add-labels@v1
if: ${{ startsWith('Security Report - ${{ steps.set-now.outputs.NOW }}', '/add-labels')}}
with:
labels: |
security
reports

16
.zap/rules.tsv
View File

@ -1,8 +1,8 @@
10020 IGNORE (Missing Anti-clickjacking Header)
10021 IGNORE (X-Content-Type-Options Header Missing)
10035 IGNORE (Strict-Transport-Security Header Not Set)
10038 IGNORE (Content Security Policy (CSP) Header Not Set)
10063 IGNORE (Permissions Policy Header Not Set)
10096 IGNORE (Timestamp Disclosure - Unix)
10098 IGNORE (Cross-Domain Misconfiguration)
40040 IGNORE (CORS Misconfiguration)
10020 IGNORE (Missing Anti-clickjacking Header)
10021 IGNORE (X-Content-Type-Options Header Missing)
10035 IGNORE (Strict-Transport-Security Header Not Set)
10038 IGNORE (Content Security Policy (CSP) Header Not Set)
10063 IGNORE (Permissions Policy Header Not Set)
10096 IGNORE (Timestamp Disclosure - Unix)
10098 IGNORE (Cross-Domain Misconfiguration)
40040 IGNORE (CORS Misconfiguration)
1 10020 IGNORE (Missing Anti-clickjacking Header) 10020 IGNORE (Missing Anti-clickjacking Header)
2 10021 IGNORE (X-Content-Type-Options Header Missing) 10021 IGNORE (X-Content-Type-Options Header Missing)
3 10035 IGNORE (Strict-Transport-Security Header Not Set) 10035 IGNORE (Strict-Transport-Security Header Not Set)
4 10038 IGNORE (Content Security Policy (CSP) Header Not Set) 10038 IGNORE (Content Security Policy (CSP) Header Not Set)
5 10063 IGNORE (Permissions Policy Header Not Set) 10063 IGNORE (Permissions Policy Header Not Set)
6 10096 IGNORE (Timestamp Disclosure - Unix) 10096 IGNORE (Timestamp Disclosure - Unix)
7 10098 IGNORE (Cross-Domain Misconfiguration) 10098 IGNORE (Cross-Domain Misconfiguration)
8 40040 IGNORE (CORS Misconfiguration) 40040 IGNORE (CORS Misconfiguration)

6
README.md
View File

@ -52,7 +52,7 @@ Open https://chitchatter.im/ and join a room to start chatting with anyone else
## Why another chat app?
There is no shortage of user-friendly chat apps available, but they rely on a central service to facilitate communication. It is difficult to trust these central services, as commercial interests and [government pressure](https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion) can compel service operators to work against the best interest of the users. Even when user data is handled in good faith by service operators, the possibility remains that [encrypted data held at rest may be decrypted](https://www.cbsnews.com/news/fbi-may-have-found-way-to-unlock-san-bernardino-shooters-iphone/) against the user's will.
There is no shortage of user-friendly chat apps available, but they rely on a central service to facilitate communication. It is difficult to trust these central services, as commercial interests and [government pressure](https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion) can compel service operators to work against the best interest of the users. Even when user data is handled in good faith by service operators, the possibility remains that [encrypted data held at rest may be decrypted](https://www.cbsnews.com/news/fbi-may-have-found-way-to-unlock-san-bernardino-shooters-iphone/) against the user's will.
Chitchatter designs around these risks with a [web meshe architecture](https://dev.to/jeremyckahn/taking-the-power-back-with-web-meshes-omg). There is no central service operator that stores or potentially mishandles communication data. Some services are required to establish an initial connection between peers, but otherwise the app uses direct peer-to-peer communication for everything. Any services that are used by Chitchatter have no association with the project and are publicly available for all to use.
@ -231,6 +231,10 @@ Chitchatter works on iOS Safari, but browser-level bugs often prevent peers from
Per [#36](https://github.com/jeremyckahn/chitchatter/issues/36), check your `about:config` settings and ensure that `media.peerconnection.enabled` is **enabled**.
##### Security
Chitchatter undergoes [weekly security audits](https://github.com/jeremyckahn/chitchatter/blob/develop/.github/workflows/security.yml) to identify and address potential vulnerabilities. Reports from all audits can be found in [the **Issues** section filtered by the `security` label](https://github.com/jeremyckahn/chitchatter/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity).
### Contributors
<p align="center">