Skip to content

Security Model

Fabrizio Degni edited this page Jul 8, 2026 · 1 revision

Security Model

PolicyWatcher's security model is based on separation of duties, source validation, explicit environment configuration and conservative public data exposure.

Key Controls

  • API_SECRET protects cron/scrape operational endpoints.
  • SESSION_HMAC_SECRET signs admin sessions and must not reuse API_SECRET.
  • Admin and auditor roles are separated.
  • Seed/demo records are blocked from production public APIs.
  • Destructive admin actions require server-side confirmation payloads.
  • Admin access events are logged.
  • Renderer and VPS agent secrets stay server-side.
  • Renderer requests validate initial URL, redirects and subresources.
  • Source retrieval errors are sanitized before being exposed.

External Quality Signals

PolicyWatcher exposes operational quality signals such as:

  • GitHub Actions quality gate;
  • CodeQL;
  • OpenSSF Scorecard;
  • OpenSSF Best Practices project 13465;
  • targeted reliability coverage workflow;
  • MDN Observatory and SecurityHeaders.com checks where configured.

These are evidence signals, not certifications.

Debug Endpoint Incident

An unauthenticated environment diagnostic endpoint existed in commit ec2f699 and was removed from main by commit f453b4a.

If that commit was deployed to production, rotate:

  • ADMIN_PASSWORD
  • SESSION_HMAC_SECRET
  • API_SECRET

The endpoint did not intentionally expose secret values, but diagnostic environment routes are not acceptable in production.

WAF and Access-Control Position

PolicyWatcher should not use stealth browser masking or residential proxy rotation to bypass provider access controls. If a provider blocks retrieval, the event should be recorded and the source suspended or manually reviewed.

Recommended Production Hygiene

  • Use high-entropy secrets.
  • Store SQLite outside the extracted app root.
  • Keep .env files out of Git.
  • Keep ALLOW_DATABASE_SEED_ENDPOINT unset in production.
  • Use HTTPS-only public endpoints.
  • Keep renderer and agent services behind bearer/HMAC authentication.
  • Rotate secrets after any accidental diagnostic exposure.

Clone this wiki locally