Skip to content

Security: side-projects-overkill/redhat-learning-paths

Security

SECURITY.md

Security Policy

Supported Versions

We provide security updates for the following versions:

Version Supported
1.0.x
< 1.0

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability, please report it responsibly.

How to Report

Please do not report security vulnerabilities through public GitHub issues.

Instead, please send an email to: [email protected]

Include the following information:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Any suggested fixes (if available)

What to Expect

  • Acknowledgment: We'll acknowledge receipt within 24 hours
  • Initial Response: We'll provide an initial response within 72 hours
  • Updates: We'll keep you informed of progress towards a fix
  • Disclosure: We'll work with you on responsible disclosure

Security Best Practices

Our application follows security best practices:

Container Security

  • Non-root users in containers
  • Minimal base images (UBI)
  • Regular security scans
  • No secrets in images

Application Security

  • Input validation and sanitization
  • Secure API endpoints
  • Rate limiting
  • Error handling without information disclosure

Data Security

  • Secure database connections
  • No sensitive data in logs
  • Encrypted data transmission

Security Features

Implemented Security Measures

  1. Container Security

    • Containers run as non-root users
    • Security contexts with dropped capabilities
    • Read-only root filesystems where possible

  2. Network Security

    • Internal network communication only
    • No unnecessary port exposure
    • Proper service discovery

  3. Input Validation

    • All user inputs are validated
    • SQL injection prevention
    • XSS protection

  4. Authentication & Authorization

    • Future: JWT-based authentication
    • Future: Role-based access control

Automated Security Scanning

We use automated tools to scan for vulnerabilities:

  • Dependency Scanning: Regular checks for vulnerable dependencies
  • Container Scanning: Trivy scans for container vulnerabilities
  • Code Analysis: CodeQL for static analysis
  • Secret Scanning: Detection of hardcoded secrets

Security Configuration

Production Deployment

For production deployments, ensure:

  1. Environment Variables

    # Use strong passwords
POSTGRES_PASSWORD=<strong-random-password>

# Use production database URLs
DATABASE_URL=postgresql://user:pass@secure-host:5432/db

# Disable debug mode
DEBUG=false
ENVIRONMENT=production

  2. Network Security

    • Use TLS/SSL for all connections
    • Implement proper firewall rules
    • Use container network policies

  3. Access Control

    • Limit container privileges
    • Use read-only filesystems
    • Implement proper user permissions

Security Headers

The application implements security headers:

# In frontend Containerfile
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self'..." always;

Vulnerability Management

Dependency Updates

We regularly update dependencies to address security vulnerabilities:

  • Python packages: Updated monthly or when vulnerabilities are discovered
  • Node.js packages: Updated monthly or when vulnerabilities are discovered
  • Base images: Updated when new versions are available

Security Monitoring

  • GitHub Security Advisories: Monitor for security issues
  • CVE Databases: Track relevant CVEs
  • Dependency Scanning: Automated scans in CI/CD

Incident Response

In case of a security incident:

  1. Immediate Response

    • Assess the scope and impact
    • Contain the incident
    • Gather evidence

  2. Communication

    • Notify affected users
    • Coordinate with security team
    • Prepare public disclosure

  3. Recovery

    • Deploy fixes
    • Verify resolution
    • Document lessons learned

Security Checklist

Before deploying to production:

  • All dependencies are up to date
  • Security scans pass
  • Secrets are properly managed
  • HTTPS is enabled
  • Database is properly secured
  • Monitoring is in place
  • Backup procedures are tested
  • Incident response plan is ready

Third-Party Security

External Services

The application integrates with:

  • Ollama: Local LLM service
  • PostgreSQL: Database
  • Search APIs: Google, YouTube, Udemy

Security considerations:

  • All external API calls use HTTPS
  • API keys are stored securely
  • Rate limiting is implemented

Supply Chain Security

  • Dependency verification: Use lock files
  • Image verification: Verify base image signatures
  • Build security: Secure CI/CD pipeline

Contact Information

For security-related questions or concerns:

  • Security Team: [email protected]
  • General Issues: Use GitHub Issues (for non-security issues)
  • Emergency: For critical security issues, mark emails as "URGENT"

Acknowledgments

We appreciate security researchers and contributors who help keep our application secure. Responsible disclosure helps protect our users and the community.

Hall of Fame

We'll recognize security researchers who responsibly report vulnerabilities:

  • [Your name could be here!]

Last Updated: January 2025

Thank you for helping keep Red Hat Learning Paths secure! 🔒

There aren’t any published security advisories