QuarryCore includes security features designed to protect data processing pipelines from common vulnerabilities. This document outlines our security practices and how to report security issues.
- Security by Design: Security features built into the core architecture
- Open Communication: Transparent about security capabilities and limitations
- Community-Driven: We welcome security feedback and contributions
QuarryCore is currently in active development:
Version | Status | Notes |
---|---|---|
main branch | Active Development | Latest features and fixes |
< 0.1.0 | Pre-release | Not recommended for production |
If you discover a security vulnerability in QuarryCore:
- Email: Send details to josh.mcd31@gmail.com
- Subject: Use "SECURITY: [Brief Description]" as the subject line
- Details: Include reproduction steps and impact assessment
Please avoid:
- Creating public GitHub issues for security vulnerabilities
- Discussing vulnerabilities publicly before they're addressed
Please provide:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (if any)
QuarryCore implements JWT-based authentication:
# src/quarrycore/auth/jwt_manager.py
- JWT token generation and validation
- Access and refresh token support
- Token revocation capabilities
- Role-based access control (RBAC)
Key Features:
- Configurable token expiry
- Secure token generation using
secrets
module - Token revocation tracking
- User role management
Comprehensive input validation throughout:
# src/quarrycore/security/validation.py
- URL validation with private IP blocking
- File path traversal prevention
- Input size limits
- Content type validation
Protections:
- Blocks access to private IP ranges (10.x, 192.168.x, etc.)
- Prevents directory traversal attacks
- Limits input sizes to prevent DoS
- Validates file types and content
Distributed rate limiting implementation:
# src/quarrycore/security/rate_limiter.py
- Redis-backed distributed rate limiting
- Memory-based fallback
- Sliding window algorithm
- Per-user and per-endpoint limits
Features:
- Configurable rate limits
- Burst allowance support
- Graceful degradation without Redis
- IP-based and user-based limiting
HTTP security headers for web components:
# src/quarrycore/security/headers.py
- Content Security Policy (CSP)
- X-Frame-Options
- X-Content-Type-Options
- Strict-Transport-Security
Additional enterprise-grade security:
# src/quarrycore/security/enterprise_security.py
- API key management
- Audit logging
- Session management
- Advanced monitoring
# config.yaml
security:
jwt:
secret_key: "${JWT_SECRET_KEY}" # Use environment variable
access_token_expire_minutes: 30
refresh_token_expire_days: 7
rate_limiting:
enabled: true
default_limit: 1000 # requests per hour
burst_size: 50
validation:
max_input_size: 10485760 # 10MB
allowed_schemes: ["http", "https"]
block_private_ips: true
When using Docker:
# Run with security constraints
docker run \
--user 1000:1000 \ # Non-root user
--read-only \ # Read-only filesystem
--security-opt no-new-privileges \
-e JWT_SECRET_KEY="$SECRET" \
quarrycore:latest
# Run security-specific tests
pytest tests/test_security_comprehensive.py -v
# Check for common vulnerabilities
bandit -r src/ -ll
# Scan dependencies
pip-audit
- Input validation edge cases
- Rate limiting effectiveness
- Authentication flows
- Authorization boundaries
- SQL injection prevention
- Path traversal protection
- Token Storage: Token revocation list is in-memory (production should use Redis)
- HTTPS: Not enforced at application level (use reverse proxy)
- Encryption: Data encryption at rest not implemented (use filesystem encryption)
- Secrets Management: Basic environment variable support (consider HashiCorp Vault for production)
- Enhanced secrets management
- Built-in HTTPS support
- Data encryption at rest
- Security event monitoring
- SIEM integration support
- Use Environment Variables for sensitive configuration
- Enable Rate Limiting to prevent abuse
- Run as Non-Root User in containers
- Use HTTPS via reverse proxy (nginx, Caddy)
- Regular Updates - Keep dependencies current
# Generate secure secret key
python -c "import secrets; print(secrets.token_urlsafe(32))"
# Set via environment
export JWT_SECRET_KEY="your-generated-secret"
export REDIS_URL="redis://localhost:6379"
For security-related questions:
- Email: josh.mcd31@gmail.com
- GitHub Issues: For non-sensitive security discussions
We welcome security improvements:
- Add security tests
- Improve validation logic
- Enhance documentation
- Report vulnerabilities responsibly
Thank you to everyone who helps improve QuarryCore's security. Your efforts help protect all users of the system.
Remember: Security is an ongoing process, not a destination. We're committed to continuous improvement.