stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
6c1177a6ceab81b77b16ec01a6c859b9e3c12f6a
git.stella-ops.org/docs/security/notifications-hardening.md
StellaOps Bot 9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
up
2025-11-25 22:09:44 +02:00

38 lines
2.3 KiB
Markdown
Raw Blame History

# Notifications Hardening Guide
Last updated: 2025-11-25 (Docs Tasks Md.V · DOCS-NOTIFY-40-001)
## Threat model
- Tenant data isolation breaches (cross-tenant deliveries).
- Channel compromise (webhook leaks, OAuth token theft).
- Message tampering or replay.
- Flooding / notification storms.
## Controls
- **Tenant isolation**: every rule/channel/template includes `tenant`; APIs enforce `X-Stella-Tenant`. Mongo collections are filtered by tenant with indexes on `(tenant, id)`.
- **Secrets**: channels reference Authority `secretRef`; secrets never stored in Notify DB. Rotate via Authority and `:refresh-secret`.
- **Outbound allowlist**: restrict hosts/ports per tenant; defaults block public internet in air-gapped kits.
- **Signing**: webhook deliveries include `X-Stella-Signature` HMAC-SHA256 over body+nonce; receivers must reject stale timestamps (>5m) and verify signature.
- **Replay protection**: delivery ledger de-dupes on `(channel, bodyHash)` for 24h; escalation tokens are single-use DSSE-signed.
- **Rate limits/throttles**: per-rule and per-channel throttles; quiet hours for non-critical traffic.
- **Templates sandboxed**: no file/network access; helpers are pure and deterministic.
- **Logging/PII**: payloads redacted based on rule labels; logs avoid full body, store hashes instead.
- **Audit**: all admin actions (create/update/delete channel or rule) logged with actor, trace id, and diff.
## Deployment checklist
- [ ] Authority scopes `notify.viewer|operator|admin` configured; service accounts least-privilege.
- [ ] HTTPS everywhere; TLS 1.2+; HSTS on WebService front-door.
- [ ] Redis protected by auth and network policy; Mongo TLS + auth enabled.
- [ ] Outbound allowlists defined per environment; no wildcard `*`.
- [ ] Webhook receivers validate signatures and enforce host/IP allowlists.
## Incident playbook (channel compromise)
1) Disable affected channel via `PATCH /channels/{id}` (`enabled=false`).
2) Rotate secret in Authority; refresh channel secret.
3) Search ledger for deliveries to compromised endpoint and notify tenants if required.
4) Re-enable with new endpoint/secret after validation.
## Offline/air-gap notes
- Ship channel manifests and secrets via sealed bundles; keep hash manifest with signed checksum.
- Disable any channel type not supported in the enclave (e.g., external Slack) and use in-app or file-drop channels instead.
Reference in New Issue View Git Blame Copy Permalink