# Security Runbook

## Trusted Proxy Setup (Caddy)

Set `WARPBOX_TRUSTED_PROXY_CIDRS` to only the CIDRs of your reverse proxies/load balancers.

Example:

```bash
WARPBOX_TRUSTED_PROXY_CIDRS=10.0.0.0/8,192.168.0.0/16
```

Caddy example:

```caddyfile
:443 {
  reverse_proxy 127.0.0.1:8080 {
    header_up X-Forwarded-For {http.request.remote.host}
    header_up X-Real-IP {http.request.remote.host}
  }
}
```

WarpBox will trust `X-Forwarded-For` only if the direct remote IP is inside `WARPBOX_TRUSTED_PROXY_CIDRS`.

## IP Ban Operations

- Use temporary bans by default.
- Use `ban_until` only for active incidents requiring explicit windows.
- Before unbanning, inspect related activity and alerts for repeated abuse patterns.
- For destructive actions (`bulk_unban`, `unban_all`), require explicit confirmation.

## Tuning Guidance

- Low traffic deployments: reduce max-attempt thresholds to catch abuse faster.
- High traffic deployments: increase windows and max-attempts incrementally to reduce false positives.
- Watch for:
  - repeated `auth.admin.failed`
  - repeated `security.scan`
  - frequent `security.upload_limit`