Phase1: Project proposal & Security Plan

CHANGELOG.md

@@ -0,0 +1,6 @@
+# CHANGELOG
+
+## Unreleased
+
+* Phase1: Add project proposal and security plan (by Munazza Ahmed Sumaiya Bukhari Zainab Altaf)
+

README.md

@@ -1,3 +1,15 @@
+# SecureNotes (fork of full-stack-fastapi-postgresql)
+
+Phase 1 deliverables for SecureNotes (REST API security project).
+
+## Phase 1 contents
+
+* `docs/PROJECT_PROPOSAL.md`
+* `docs/SECURITY_PLAN.md`
+* `docs/system_overview.drawio` / `.png` / `.pdf`
+* `README.md`, `CHANGELOG.md`
+
+This repo is a fork of the `tiangolo/full-stack-fastapi-postgresql` starter.
 # Full Stack FastAPI Template
 
 <a href="https://github.com/fastapi/full-stack-fastapi-template/actions?query=workflow%3ATest" target="_blank"><img src="https://github.com/fastapi/full-stack-fastapi-template/workflows/Test/badge.svg" alt="Test"></a>

docs/PROJECT_PROPOSAL.md

@@ -0,0 +1,39 @@
+# Project Proposal — SecureNotes (FastAPI)
+
+**Course:** Secure Software Development
+**Project Theme:** REST API Security (FastAPI) — fork of tiangolo/full-stack-fastapi-postgresql
+**Repository (fork):** [https://github.com/YourGitHubUser/secure-notes](https://github.com/YourGitHubUser/secure-notes)
+
+**Implementer (Phase 1):** [Your Full Name]
+
+## Objective
+
+Build a secure REST API to accept, encrypt, store and return user notes. Use Secure SDLC, OWASP guidance, and DevSecOps: threat modeling, code and dependency scanning, container scanning, and DAST.
+
+## Scope (Phase 1)
+
+* Fork the template and set up repo branch `phase1-setup`.
+* Define security objectives and produce a Security Plan (this doc + SECURITY_PLAN.md).
+* Produce Level-0 DFD (docs/system_overview.*).
+* Setup initial README and changelog.
+
+## Deliverables (Phase 1)
+
+* docs/PROJECT_PROPOSAL.md
+* docs/SECURITY_PLAN.md
+* docs/system_overview.png and .pdf
+* README.md and CHANGELOG.md
+* Branch: phase1-setup and PR to main
+
+## Team & responsibilities
+
+* [Your Full Name] — Phase 1: planning, repo setup, DFD, documentation.
+* (Teammates will implement later phases: threat modeling, code, tests).
+
+## Timeline
+
+* Phase 1: (today) Planning & Setup
+* Phase 2: Threat Model & Risk Assessment
+* Phase 3: Implementation (backend security controls)
+* Phase 4: CI/CD & automated security scans
+* Phase 5: Final report & demo

docs/SECURITY_PLAN.md

@@ -0,0 +1,61 @@
+# Security Plan — SecureNotes (Phase 1)
+
+**Author:** [Your Full Name]
+**Repo:** [https://github.com/YourGitHubUser/secure-notes](https://github.com/YourGitHubUser/secure-notes)
+**Date:** YYYY-MM-DD
+
+## 1. Summary
+
+This plan defines security objectives, assets, roles, high-level controls, and next steps for Phase 1 of SecureNotes (FastAPI).
+
+## 2. Security Objectives (CIA + Privacy)
+
+* **Confidentiality**: Encrypt note bodies at rest using AES-GCM with a 256-bit application master key.
+* **Integrity**: Use JWT with HMAC (HS256) and short token lifetimes; authenticated encryption for stored data.
+* **Availability**: Basic rate limiting plan and graceful error handling (to be implemented).
+* **Privacy**: Minimize PII; store username and password hash only; redact sensitive logs.
+
+## 3. System Assets
+
+| Asset                      |   Classification | Comments                               |
+| -------------------------- | ---------------: | -------------------------------------- |
+| Note content               |        Sensitive | Must be encrypted at rest              |
+| User credentials           | Highly sensitive | Store hashed (bcrypt) only             |
+| MASTER_KEY / JWT_SECRET    |           Secret | Store in GitHub Secrets/secret manager |
+| Database backups           |        Sensitive | Encrypt & restrict access              |
+| CI tokens & registry creds |           Secret | Least privilege in CI                  |
+
+## 4. Users & Roles
+
+* **User**: create/read own notes.
+* **Admin** (future): manage users and system.
+* **Developer/CI**: builds and tests; must not leak secrets.
+
+## 5. Data Flows (high level)
+
+* User → HTTPS → FastAPI endpoints (register, login, /notes)
+* FastAPI → encrypt note → DB (store ciphertext)
+* CI (GitHub Actions) → build/test/scan → images/reports
+
+A Level-0 DFD diagram is included: `docs/system_overview.png` / `.pdf`.
+
+## 6. Initial Controls to implement (Phase 2/3 plan)
+
+1. Password hashing (bcrypt via passlib).
+2. JWT auth (short lived access tokens).
+3. AES-GCM encryption for note bodies (app master key from secrets).
+4. Pydantic input validation for all endpoints.
+5. Security headers middleware (CSP, HSTS, X-Frame-Options).
+6. CI: CodeQL, Snyk (SCA), Trivy (container), OWASP ZAP (DAST).
+
+## 7. Key risks & mitigations
+
+* **Leak of master key** → use GitHub Secrets & rotation plan.
+* **Dependency vulnerabilities** → Snyk scans and upgrades.
+* **Misconfigured CI secrets** → restrict access & do not echo secrets in logs.
+
+## 8. Phase-1 acceptance criteria
+
+* Repo forked and branch `phase1-setup` created.
+* Security Plan and DFD added to `docs/`.
+* PR created (and merged).

docs/system_overview.drawio

@@ -0,0 +1,37 @@
+<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" version="28.2.8">
+  <diagram name="Page-1" id="wQdYjDTQ9otpaTvRJ1rn">
+    <mxGraphModel dx="806" dy="481" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1100" pageHeight="850" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="Loh9Il3-jM7u6gasKObG-1" value="Actor" style="shape=umlActor;verticalLabelPosition=bottom;verticalAlign=top;html=1;outlineConnect=0;" vertex="1" parent="1">
+          <mxGeometry x="180" y="200" width="30" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="Loh9Il3-jM7u6gasKObG-10" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="Loh9Il3-jM7u6gasKObG-3" target="Loh9Il3-jM7u6gasKObG-4">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="Loh9Il3-jM7u6gasKObG-3" value="User browser" style="image;aspect=fixed;html=1;points=[];align=center;fontSize=12;image=img/lib/azure2/general/Browser.svg;" vertex="1" parent="1">
+          <mxGeometry x="260" y="200" width="65" height="52" as="geometry" />
+        </mxCell>
+        <mxCell id="Loh9Il3-jM7u6gasKObG-11" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="Loh9Il3-jM7u6gasKObG-4" target="Loh9Il3-jM7u6gasKObG-5">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="Loh9Il3-jM7u6gasKObG-4" value="&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div&gt;&lt;span style=&quot;background-color: transparent; color: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));&quot;&gt;Secure notes app&lt;/span&gt;&lt;/div&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;&lt;div&gt;&lt;div&gt;Endpoints: /auth, /notes&lt;/div&gt;&lt;/div&gt;&lt;div&gt;&lt;br&gt;&lt;/div&gt;" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
+          <mxGeometry x="370" y="200" width="120" height="70" as="geometry" />
+        </mxCell>
+        <mxCell id="Loh9Il3-jM7u6gasKObG-5" value="PostgreSQL Database" style="shape=datastore;whiteSpace=wrap;html=1;" vertex="1" parent="1">
+          <mxGeometry x="540" y="200" width="70" height="70" as="geometry" />
+        </mxCell>
+        <mxCell id="Loh9Il3-jM7u6gasKObG-8" value="GITHUB" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" vertex="1" parent="1">
+          <mxGeometry x="350" y="70" width="120" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="Loh9Il3-jM7u6gasKObG-9" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0.5;exitDx=0;exitDy=0;exitPerimeter=0;entryX=-0.063;entryY=0.431;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="1" source="Loh9Il3-jM7u6gasKObG-1" target="Loh9Il3-jM7u6gasKObG-3">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+        <mxCell id="Loh9Il3-jM7u6gasKObG-12" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.327;entryY=0.062;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="1" source="Loh9Il3-jM7u6gasKObG-8" target="Loh9Il3-jM7u6gasKObG-4">
+          <mxGeometry relative="1" as="geometry" />
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>