tag/v1.2.0/docs/security-runbook.md

# Security Runbook

## Trusted Proxy Setup (Caddy)

Set `WARPBOX_TRUSTED_PROXY_CIDRS` to only the CIDRs of your reverse proxies/load balancers. Without this, WarpBox intentionally ignores forwarding headers and every request may appear to come from the proxy/container bridge, such as `172.30.0.1`.

Example:

```bash
WARPBOX_TRUSTED_PROXY_CIDRS=172.30.0.1/32
```

Caddy example:

```caddyfile
:443 {
  reverse_proxy warpbox:8080 {
    header_up X-Forwarded-For {http.request.remote.host}
    header_up X-Real-IP {http.request.remote.host}
  }
}
```

WarpBox will trust `X-Forwarded-For` only if the direct remote IP is inside `WARPBOX_TRUSTED_PROXY_CIDRS`. Prefer the exact proxy IP as a `/32` when it is stable. If Caddy is on a changing Docker/Podman network, use that network's CIDR instead. You can find it with `docker network inspect <network>` or `podman network inspect <network>`.

## IP Ban Operations

- Use temporary bans by default.
- Use `ban_until` only for active incidents requiring explicit windows.
- Before unbanning, inspect related activity and alerts for repeated abuse patterns.
- For destructive actions (`bulk_unban`, `unban_all`), require explicit confirmation.

## Tuning Guidance

- Low traffic deployments: reduce max-attempt thresholds to catch abuse faster.
- High traffic deployments: increase windows and max-attempts incrementally to reduce false positives.
- Watch for:
  - repeated `auth.admin.failed`
  - repeated `security.scan`
  - frequent `security.upload_limit`
feat/security Reviewed-on: https://tea.chunkbyte.com/kato/warpbox/pulls/2 2026-05-04 00:00:36 +03:00			`# Security Runbook`

			`## Trusted Proxy Setup (Caddy)`

feat: bypass security for health checks and support HEAD downloads - Allow the `/health` endpoint to bypass the security middleware, ensuring container health checks succeed even if the proxy IP is banned. - Add a test to verify health checks from banned IPs. - Register a HEAD route for file downloads. - Refactor admin alert status checks to use a new `isUnacknowledgedAlert` helper. - Update the security runbook documentation with clearer instructions and examples for trusted proxy configuration. 2026-05-23 19:07:11 +03:00			Set `WARPBOX_TRUSTED_PROXY_CIDRS` to only the CIDRs of your reverse proxies/load balancers. Without this, WarpBox intentionally ignores forwarding headers and every request may appear to come from the proxy/container bridge, such as `172.30.0.1`.
feat/security Reviewed-on: https://tea.chunkbyte.com/kato/warpbox/pulls/2 2026-05-04 00:00:36 +03:00
			`Example:`

			```bash
feat: bypass security for health checks and support HEAD downloads - Allow the `/health` endpoint to bypass the security middleware, ensuring container health checks succeed even if the proxy IP is banned. - Add a test to verify health checks from banned IPs. - Register a HEAD route for file downloads. - Refactor admin alert status checks to use a new `isUnacknowledgedAlert` helper. - Update the security runbook documentation with clearer instructions and examples for trusted proxy configuration. 2026-05-23 19:07:11 +03:00			`WARPBOX_TRUSTED_PROXY_CIDRS=172.30.0.1/32`
feat/security Reviewed-on: https://tea.chunkbyte.com/kato/warpbox/pulls/2 2026-05-04 00:00:36 +03:00			```

			`Caddy example:`

			```caddyfile
			`:443 {`
feat: bypass security for health checks and support HEAD downloads - Allow the `/health` endpoint to bypass the security middleware, ensuring container health checks succeed even if the proxy IP is banned. - Add a test to verify health checks from banned IPs. - Register a HEAD route for file downloads. - Refactor admin alert status checks to use a new `isUnacknowledgedAlert` helper. - Update the security runbook documentation with clearer instructions and examples for trusted proxy configuration. 2026-05-23 19:07:11 +03:00			`reverse_proxy warpbox:8080 {`
feat/security Reviewed-on: https://tea.chunkbyte.com/kato/warpbox/pulls/2 2026-05-04 00:00:36 +03:00			`header_up X-Forwarded-For {http.request.remote.host}`
			`header_up X-Real-IP {http.request.remote.host}`
			`}`
			`}`
			```

feat: bypass security for health checks and support HEAD downloads - Allow the `/health` endpoint to bypass the security middleware, ensuring container health checks succeed even if the proxy IP is banned. - Add a test to verify health checks from banned IPs. - Register a HEAD route for file downloads. - Refactor admin alert status checks to use a new `isUnacknowledgedAlert` helper. - Update the security runbook documentation with clearer instructions and examples for trusted proxy configuration. 2026-05-23 19:07:11 +03:00			WarpBox will trust `X-Forwarded-For` only if the direct remote IP is inside `WARPBOX_TRUSTED_PROXY_CIDRS`. Prefer the exact proxy IP as a `/32` when it is stable. If Caddy is on a changing Docker/Podman network, use that network's CIDR instead. You can find it with `docker network inspect <network>` or `podman network inspect <network>`.
feat/security Reviewed-on: https://tea.chunkbyte.com/kato/warpbox/pulls/2 2026-05-04 00:00:36 +03:00
			`## IP Ban Operations`

			`- Use temporary bans by default.`
			- Use `ban_until` only for active incidents requiring explicit windows.
			`- Before unbanning, inspect related activity and alerts for repeated abuse patterns.`
			- For destructive actions (`bulk_unban`, `unban_all`), require explicit confirmation.

			`## Tuning Guidance`

			`- Low traffic deployments: reduce max-attempt thresholds to catch abuse faster.`
			`- High traffic deployments: increase windows and max-attempts incrementally to reduce false positives.`
			`- Watch for:`
			- repeated `auth.admin.failed`
			- repeated `security.scan`
			- frequent `security.upload_limit`