Code handling AES-GCM encryption can be found in lib directory. You can then refer to any calls to this library made through import { ... } from 'lufin-lib', most notably frontend/src/shared/upload.ts.
- After configuring HTTPS and verifying it works you should enable HSTS in your web server configuration.
- If you're running Docker and ufw, make sure to secure internal Docker's network: https://stackoverflow.com/a/51741599/13689893
I believe security of lufin is primarily based on WebCrypto, AES-GCM, HTTPS and user's environment (JavaScript VM, TCP, TLS, OpenSSL, OS etc). If you found a security vulnerabilities in those, you should report it to authors of these projects and get a CVE code. You can then open an issue with this code for dependency upgrade or patch.
If you found a security vulnerability directly in lufin's code, I encourage you to open an issue publicly!