Security considerations

When deploying Kadi4Mat in production, there are certain security considerations to take into account, which may depend on how Kadi4Mat is installed. The steps and default configurations that are part of the installation instructions described in this documentation, as well as corresponding helper tools and scripts, should already provide a secure foundation. However, note that certain aspects such as authentication or encryption depend on how Kadi4Mat is configured.

Besides the installation of Kadi4Mat itself, including regular updates of the application, the server that the application runs on should be secured and maintained in an appropriate manner as well. This may include secure firewall settings, regular security updates of all installed packages and services that Kadi4Mat depends on as well as backups.

Security features

While absolute security can never be guaranteed, Kadi4Mat itself already offers various features to aid with ensuring a secure environment, independent of installation or deployment method. These currently include:

  • Support of established authentication mechanisms such as LDAP, OpenID Connect and Shibboleth

  • Secure storage of passwords (scrypt) for local accounts

  • Fine-grained access permissions on a per-resource basis

  • Token-based API authorization using personal access tokens (PATs) or OAuth 2.0 (via the Authorization Code Grant)

  • Consistent and enforced use of HTTPS, including HTTP Strict Transport Security (HSTS)

  • Cross-Site Request Forgery (CSRF) protection

  • Limited and secure use of cookies using signatures and strong session protection

  • Rate limiting to prevent brute forcing of passwords and to aid against Denial-of-Service (DoS) attacks

  • Strong Content Security Policy (CSP), use of security headers and strict settings (e.g. when rendering Markdown) to prevent Cross-Site Scripting (XSS) and similar vulnerabilities

  • Strict referrer policy to protect the privacy of users

  • No use of externally loaded scripts or resources

  • Use of established and well-tested libraries for critical functionality

  • Extensive test suite for most of the backend functionality

  • Continuous Integration (CI) infrastructure for automated testing and to ensure a consistent code style and quality

Please also see the current security policy of Kadi4Mat.