-
Notifications
You must be signed in to change notification settings - Fork 0
Security Model
PolicyWatcher's security model is based on separation of duties, source validation, explicit environment configuration and conservative public data exposure.
-
API_SECRETprotects cron/scrape operational endpoints. -
SESSION_HMAC_SECRETsigns admin sessions and must not reuseAPI_SECRET. - Admin and auditor roles are separated.
- Seed/demo records are blocked from production public APIs.
- Destructive admin actions require server-side confirmation payloads.
- Admin access events are logged.
- Renderer and VPS agent secrets stay server-side.
- Renderer requests validate initial URL, redirects and subresources.
- Source retrieval errors are sanitized before being exposed.
PolicyWatcher exposes operational quality signals such as:
- GitHub Actions quality gate;
- CodeQL;
- OpenSSF Scorecard;
- OpenSSF Best Practices project
13465; - targeted reliability coverage workflow;
- MDN Observatory and SecurityHeaders.com checks where configured.
These are evidence signals, not certifications.
An unauthenticated environment diagnostic endpoint existed in commit ec2f699 and was removed from main by commit f453b4a.
If that commit was deployed to production, rotate:
ADMIN_PASSWORDSESSION_HMAC_SECRETAPI_SECRET
The endpoint did not intentionally expose secret values, but diagnostic environment routes are not acceptable in production.
PolicyWatcher should not use stealth browser masking or residential proxy rotation to bypass provider access controls. If a provider blocks retrieval, the event should be recorded and the source suspended or manually reviewed.
- Use high-entropy secrets.
- Store SQLite outside the extracted app root.
- Keep
.envfiles out of Git. - Keep
ALLOW_DATABASE_SEED_ENDPOINTunset in production. - Use HTTPS-only public endpoints.
- Keep renderer and agent services behind bearer/HMAC authentication.
- Rotate secrets after any accidental diagnostic exposure.
PolicyWatcher provides evidence mapping and policy-change monitoring. It is not legal advice, compliance certification, or a definitive assessment of corporate conduct.