# Security This document outlines the security architecture, measures, and best practices implemented across the system. ### Security Measures #### Network Security **Network Isolation** * **Internal Network**: Database, Ollama, and Docker proxy services run on an isolated internal network * **External Network**: Only frontend and API services are exposed to external traffic * **Bridge Networks**: Uses Docker bridge networks to segment services **Port Exposure** * **Minimal Exposure**: Only necessary ports (80, 443) are exposed to the host * **Internal Communication**: Services communicate through internal networks only * **Exposed Ports**: Database (5432), API (5010), Ollama (11434) are only exposed internally #### Container Security **User Isolation** * **Non-root Execution**: API service runs with specific user/group IDs * **Dedicated User**: `dataspace` user (UID/GID 1007) for application execution * **Sudo Access**: Limited sudo access for maintenance operations **Image Security** * **Official Images**: Uses official Docker images * **Version Pinning**: Specific image versions to prevent supply chain attacks * **Private Registry**: Images pulled from GitHub Container Registry (ghcr.io) #### Data Security **Database Security** * **Password Protection**: Database protected with strong passwords * **Internal Access**: Database only accessible from the internal network * **Data Encryption**: User secrets are encrypted using configurable encryption keys in the database #### Access Control **Authentication & Authorization** * **OAuth Integration**: Microsoft and Google OAuth support * **2FA Authentication**: Two-factor authentication is available * **Role & Resource Level Authorisation:** The platform provides multiple levels of access rights. See [User Roles](/platform/user-roles.md). * **API Authentication**: Secure API endpoints with proper authentication **Docker Socket Security** * **Proxy Service**: Docker socket access through secure proxy * **Limited Permissions**: Only specific Docker operations allowed * **Read-only Mount**: Docker socket mounted as read-only #### Web Security **HTTPS/TLS** * **Automatic HTTPS**: Caddy provides automatic SSL certificate management * **Let's Encrypt**: Free SSL certificates from Let's Encrypt **IP Blocking** * **Blocked IPs**: Configurable IP blocking through Caddy * **Geographic Filtering**: Can block specific IP ranges or countries ### Security Configuration #### Installation Security ### User creation & initial setup * Create a dedicated `dataspace` user with a specific UID/GID. * Configure file permissions for configuration files to restrict access. * Store GitHub keys and other secrets with restricted permissions. ### Security Best Practices #### Regular Updates * **Image Updates**: Regular updates of Docker images * **Security Patches**: Apply security patches promptly * **Dependency Updates**: Keep all dependencies updated #### Monitoring & Logging * **Access Logs**: Caddy provides comprehensive access logging * **Application Logs**: API and frontend logging enabled * **Audit Trails**: Database operations logged ### Conclusion DataSpace implements multiple layers of security through network isolation, container security, data encryption, and access controls. Regular maintenance, updates, and monitoring are essential to maintain a security posture. Organizations should implement additional security measures based on their specific requirements and compliance needs. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dataspace.ch/infrastructure/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.