Security posture

This document describes the security controls implemented in Rediflow.

Implemented controls

Authentication and authorization

• OIDC (Authentik) — Session-based; groups drive roles (admins, editors, viewers).
• Policy layer — Central Policy class; routes check can_view_system, can_manage_orgs, etc.
• Project visibility — Optional filter by Authentik groups (org or assignment scope).
• Session hardening — HttpOnly, SameSite=Lax, Secure in prod.
• Rate limiting — Login and OAuth callback (5/min per IP); share create (10/min).

Data protection

• PostgreSQL only — No SQLite. Parameterized queries (SQLAlchemy ORM).
• Row Level Security — Optional on user_settings, shared_views (two-role setup).
• Audit logging — Project, org, and settings audit; single append path.

Web security

• CSRF — Flask-WTF tokens on forms.
• XSS — Jinja2 auto-escape; CSP with nonce for inline scripts.
• Open redirect — Safe URL validation for share links and OIDC callback.
• Headers — X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, HSTS, CSP.

Supply chain

• pip-audit — Python dependency scan in CI.
• npm audit — docs-site dependency scan in CI.
• Lockfiles — uv.lock, package-lock.json in version control.
• License check — No GPL/AGPL dependencies.

Infrastructure

• Secrets — From env; .env files gitignored.
• Container — Non-root user in Docker image.

OWASP Top 10 mapping

Configuration requirements

For production:

• Set SECRET_KEY (strong, random).
• Use HTTPS; SESSION_COOKIE_SECURE is automatic in qa/prod.
• Configure OIDC when multi-user; avoid POLICY_NO_AUTH_DEFAULT=allow_all.
• Use PROJECT_VISIBILITY_ENABLED when restricting by org or assignment.

See Security deployment for the full checklist.