# WarpBox Security TO-DO ## 1) High Priority (Do Next) - [ ] Persist IP bans across restarts - Current: bans stored in-memory (`lib/security/guard.go`) - Target: durable store in `DBDir` (similar style to `activity`/`alerts`) - Include: startup load, expiry cleanup, atomic writes, corruption-safe fallback - [ ] Add trusted proxy CIDR config - Current: forwarded headers trusted only when remote hop is private/local (`lib/server/ip.go`) - Risk: heuristic-only trust model - Target: - `WARPBOX_TRUSTED_PROXY_CIDRS` setting - trust `X-Forwarded-For` only when `RemoteAddr` in trusted CIDR - fallback to direct remote IP otherwise - [ ] Add CIDR/range support for whitelists - Current: exact IP match only (`WARPBOX_SECURITY_IP_WHITELIST`, `WARPBOX_SECURITY_ADMIN_IP_WHITELIST`) - Target: support exact IP + CIDR entries - Include strict parser + validation errors in settings save - [ ] Add unban / ban edit API audit trail hardening - Ensure all manual ban/unban/ban-until actions always write: - activity event - alert (or policy-based selective alerting) - Add tests for these paths ## 2) Medium Priority - [ ] GeoIP integration for security detail pane - Current: placeholder fields in `/admin/security` - Target: wire geoipfast provider for country/region/ASN fields - Add caching + timeout/failure-safe behavior - [ ] Expand malicious path detection rules - Current: simple substring checks in `handleNoRoute` - Target: - rule list/pattern config - normalize URL + decode checks - classify severity by signature group - [ ] Add global abuse score per IP - Combine signals: - failed admin auth - malicious path scans - upload abuse - Use score to escalate ban duration automatically - [ ] Ban duration policy ladder - Current: fixed `WARPBOX_SECURITY_BAN_SECONDS` - Target: - progressive durations (e.g., 30m, 2h, 24h) - reset after quiet period - [ ] Add security settings validation UX - Ensure invalid values (negative, malformed lists, invalid CIDR) rejected with clear UI errors - Add server tests for malformed security override payloads ## 3) Admin UX Follow-Ups - [ ] Add dedicated “Active Bans” page-level controls - bulk unban - filter/sort by expiry and IP - copy IP and quick search in activity/alerts - [ ] Add “why banned” detail - link ban entry to latest triggering events and alerts - show counts in active windows (login/scan/upload) - [ ] Add optional confirmation modal for destructive security actions - unban all / bulk unban / long custom bans ## 4) Testing & QA - [ ] Add unit tests for `lib/security/guard.go` - `Ban`, `BanUntil`, `Unban`, `BanList` expiry pruning - login/scan threshold behavior - upload rate limiting behavior - [ ] Add tests for real-IP resolution edge cases (`lib/server/ip.go`) - direct client - trusted proxy chain - spoofed forwarding headers from untrusted remote - [ ] Add integration tests for security endpoints - `/admin/security/actions` ban/ban_until/unban - `/admin/alerts/actions` - admin login brute-force auto-ban flow - [ ] Add concurrency/race test pass in CI - run `go test ./... -race` in workflow (where Go toolchain available) ## 5) Operational / Deployment - [ ] Document reverse-proxy setup requirements - Caddy / ingress config examples for forwarding headers - guidance for trusted proxy CIDRs - [ ] Add security runbook - how to investigate alerts - how to ban/unban safely - how to tune thresholds for low/high traffic environments - [ ] Add metrics hooks (future) - counts: blocked requests, bans issued, unbans, alert volume - expose to Prometheus-compatible endpoint later ## 6) Nice-to-Have (Later) - [ ] Optional external enforcement bridge (fail2ban-compatible log format) - [ ] Webhook notifications for high-severity security alerts - [ ] Per-account/API-key limits once account system matures