# Security

This document outlines the security architecture, measures, and best practices implemented across the system.

### Security Measures

#### Network Security

**Network Isolation**

* **Internal Network**: Database, Ollama, and Docker proxy services run on an isolated internal network
* **External Network**: Only frontend and API services are exposed to external traffic
* **Bridge Networks**: Uses Docker bridge networks to segment services

**Port Exposure**

* **Minimal Exposure**: Only necessary ports (80, 443) are exposed to the host
* **Internal Communication**: Services communicate through internal networks only
* **Exposed Ports**: Database (5432), API (5010), Ollama (11434) are only exposed internally

#### Container Security

**User Isolation**

* **Non-root Execution**: API service runs with specific user/group IDs
* **Dedicated User**: `dataspace` user (UID/GID 1007) for application execution
* **Sudo Access**: Limited sudo access for maintenance operations

**Image Security**

* **Official Images**: Uses official Docker images
* **Version Pinning**: Specific image versions to prevent supply chain attacks
* **Private Registry**: Images pulled from GitHub Container Registry (ghcr.io)

#### Data Security

**Database Security**

* **Password Protection**: Database protected with strong passwords
* **Internal Access**: Database only accessible from the internal network
* **Data Encryption**: User secrets are encrypted using configurable encryption keys in the database

#### Access Control

**Authentication & Authorization**

* **OAuth Integration**: Microsoft and Google OAuth support
* **2FA Authentication**: Two-factor authentication is available
* **Role & Resource Level Authorisation:** The platform provides multiple levels of access rights. See [user-roles](https://docs.dataspace.ch/platform/user-roles "mention").
* **API Authentication**: Secure API endpoints with proper authentication

**Docker Socket Security**

* **Proxy Service**: Docker socket access through secure proxy
* **Limited Permissions**: Only specific Docker operations allowed
* **Read-only Mount**: Docker socket mounted as read-only

#### Web Security

**HTTPS/TLS**

* **Automatic HTTPS**: Caddy provides automatic SSL certificate management
* **Let's Encrypt**: Free SSL certificates from Let's Encrypt

**IP Blocking**

* **Blocked IPs**: Configurable IP blocking through Caddy
* **Geographic Filtering**: Can block specific IP ranges or countries

### Security Configuration

#### Installation Security

### User creation & initial setup

* Create a dedicated `dataspace` user with a specific UID/GID.
* Configure file permissions for configuration files to restrict access.
* Store GitHub keys and other secrets with restricted permissions.

### Security Best Practices

#### Regular Updates

* **Image Updates**: Regular updates of Docker images
* **Security Patches**: Apply security patches promptly
* **Dependency Updates**: Keep all dependencies updated

#### Monitoring & Logging

* **Access Logs**: Caddy provides comprehensive access logging
* **Application Logs**: API and frontend logging enabled
* **Audit Trails**: Database operations logged

### Conclusion

DataSpace implements multiple layers of security through network isolation, container security, data encryption, and access controls. Regular maintenance, updates, and monitoring are essential to maintain a security posture. Organizations should implement additional security measures based on their specific requirements and compliance needs.