appwrite · TorstenDittmann · Jan 8, 2024 · Jan 3, 2024 · Jan 4, 2024 · Jan 5, 2024
diff --git a/src/markdoc/tags/Cards.svelte b/src/markdoc/tags/Cards.svelte
@@ -1,5 +1,5 @@
-<div class="u-margin-block-start-24">
-	<ul class="aw-grid-row-2">
-		<slot />
-	</ul>
+<div style:margin-block="1.5rem">
+    <ul class="aw-grid-row-2">
+        <slot />
+    </ul>
 </div>
diff --git a/src/partials/auth-security.md b/src/partials/auth-security.md
@@ -0,0 +1,23 @@
+# Password history  {% #password-history %}
+
+Password history prevents users from reusing recent passwords. This protects user accounts from security risks by enforcing a new password every time it's changed.
+
+Password history can be enabled in the Auth service's **Security** tab on the Appwrite Console. You can choose how many previous passwords to remember up to a maximum of 20 and block users from reusing them.
+
+# Password dictionary {% #password-dictionary %}
+
+Password dictionary protects users from using bad passwords. It compares the user's password to the [10,000 most common passwords](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt) and throws an error if there's a match. Together with [rate limits](/docs/advanced/platform/rate-limits), password dictionary will significantly reduce the chance of a malicious actor from guessing user passwords.
+
+Password dictionary can be enabled in the Auth service's **Security** tab on the Appwrite Console.
+
+# Password hashing  {% #password-hashing %}
+Appwrite protects passwords by using the [Argon2](https://github.com/P-H-C/phc-winner-argon2) password-hashing algorithm.
+Argon 2 is a resilient and secure password hashing algorithm, which is also the winner of the [Password Hashing Competition](https://www.password-hashing.net/)
+Appwrite combines Argon 2 with the use of techniques such as salting, adjustable work factors, and memory hardness to securely handle passwords.
+
+# Personal data  {% #personal-data %}
+
+Encourage passwords that are hard to guess by disallowing users to pick passwords that contain personal data.
+Personal data includes the user's name, email, and phone number.
+
+Disallowing personal data can be enabled in the Auth service's **Security** tab on the Appwrite Console.
diff --git a/src/routes/docs/Sidebar.svelte b/src/routes/docs/Sidebar.svelte
@@ -112,6 +112,12 @@
 					icon: 'icon-refresh',
 					isParent: true
 				},
+				{
+					label: 'Security',
+					href: '/docs/advanced/security',
+					icon: 'icon-shield-check',
+					isParent: true
+				},
 				{
 					label: 'Self-hosting',
 					href: '/docs/advanced/self-hosting',

diff --git a/src/routes/docs/advanced/security/+layout.svelte b/src/routes/docs/advanced/security/+layout.svelte
@@ -0,0 +1,84 @@
+<script lang="ts">
+	import Docs from '$lib/layouts/Docs.svelte';
+	import Sidebar, { type NavParent, type NavTree } from '$lib/layouts/Sidebar.svelte';
+
+	const parent: NavParent = {
+		href: '/docs',
+		label: 'Security'
+	};
+
+	const navigation: NavTree = [
+		{
+			label: 'Getting started',
+			items: [
+				{
+					label: 'Overview',
+					href: '/docs/advanced/security'
+				}
+			]
+		},
+		{
+			label: 'Compliances',
+			items: [
+				{
+					label: 'GDPR',
+					href: '/docs/advanced/security/gdpr'
+				},
+				{
+					label: 'SOC 2 (Coming soon)',
+					href: '/docs/advanced/security/soc2'
+				},
+				{
+					label: 'HIPPA (Coming soon)',
+					href: '/docs/advanced/security/hippa'
+				},
+				{
+					label: 'PCI',
+					href: '/docs/advanced/security/pci'
+				},
+			]
+		},
+		{
+			label: 'Measures',
+			items: [
+				{
+					label: 'Authentication',
+					href: '/docs/advanced/security/authentication'
+				},
+				{
+					label: 'Encryption',
+					href: '/docs/advanced/security/encryption'
+				},
+				{
+					label: 'HTTPS',
+					href: '/docs/advanced/security/https'
+				},
+				{
+					label: 'TLS',
+					href: '/docs/advanced/security/tls'
+				},
+				{
+					label: 'Backups',
+					href: '/docs/advanced/security/backups'
+				},
+				{
+					label: 'Penetration tests',
+					href: '/docs/advanced/security/penetration-tests'
+				},
+				{
+					label: 'Audit logs',
+					href: '/docs/advanced/security/audit-logs'
+				},
+				{
+					label: 'Abuse protection',
+					href: '/docs/advanced/security/abuse-protection'
+				},
+			]
+		}
+	];
+</script>
+
+<Docs variant="two-side-navs">
+	<Sidebar {navigation} {parent} />
+	<slot />
+</Docs>
diff --git a/src/routes/docs/advanced/security/+page.markdoc b/src/routes/docs/advanced/security/+page.markdoc
@@ -0,0 +1,88 @@
+---
+layout: article
+title: Security
+description: Learn how Appwrite keeps your project, users, and data secure through security measures and compliance.
+---
+
+Appwrite helps you build secure apps by applying various security and compliance measures. 
+Appwrite is compliant with [GDPR](/docs/advanced/security/gdpr) and actively working toward [SOC 2](/docs/advanced/security/soc2) and [HIPPA](/docs/advanced/security/hippa) compliance.
+
+Appwrite also employs [enhanced password protection and encryption](/docs/products/auth/security), [rate limits](/docs/advanced/security/abuse-protection), 
+[robust permission systems](/docs/advanced/platform/permissions), and [HTTPS/TLS](/docs/advanced/security/tls) to protect you and your users' data.
+
+# Compliance {% #compliance %}
+
+The safeguarding of your and your users' data is taken seriously at Appwrite.
+Appwrite works to achieve compliance with a variety of standards to protect sensitive data, as well as maintain trust and credibility.
+
+{% cards %}
+{% cards_item href="/docs/advanced/security/gdpr" title="GDPR" %}
+Appwrite is GDPR compliant. Learn about our measures, privacy policy, and find our data processing agreement.
+{% /cards_item %}
+
+{% cards_item href="/docs/advanced/security/pci" title="PCI" %}
+Appwrite uses Stripe to handle payment and payment information securely. Learn about Appwrite's PCI compliance.
+{% /cards_item %}
+
+{% cards_item href="/docs/advanced/security/soc2" title="SOC 2" %}
+Coming soon
+{% /cards_item %}
+
+{% cards_item href="/docs/advanced/security/hippa" title="HIPPA" %}
+Coming soon.
+{% /cards_item %}
+
+{% /cards %}
+
+# Measures {% #measures %}
+
+Appwrite employs a variety of measures to help you build secure applications, faster.
+Learn about the different ways Appwrite protects you and your users' data and privacy.
+
+{% cards %}
+{% cards_item href="/docs/products/auth/security" title="Authentication" %}
+Secure authentication methods to 
+protect your users and promote better passwords.
+{% /cards_item %}
+
+{% cards_item href="/docs/advanced/security/encryption" title="Encryption" %}
+Appwrite encrypts sensitive data and files 
+in Appwrite Databases and Storage.
+{% /cards_item %}
+
+{% cards_item href="/docs/advanced/security/https" title="HTTPS" %}
+Appwrite Cloud enforces HTTPS on all endpoints to prevent on-path
+attacks like packet sniffing.
+{% /cards_item %}
+
+{% cards_item href="/docs/advanced/security/https" title="TLS" %}
+Appwrite assigns TLS certificates on all
+Appwrite and user provided domains connected to Appwrite. 
+{% /cards_item %}
+
+{% cards_item href="/docs/advanced/security/backups" title="Backups" %}
+Appwrite Cloud uses regular backups to prevent
+data loss and improve resiliency.
+{% /cards_item %}
+
+{% cards_item href="" title="Penetration tests" %}
+Appwrite employs regular third-party penetration tests
+to find vulnerabilities.
+{% /cards_item %}
+
+{% cards_item href="" title="Audit logs" %}
+Appwrite provides detailed audit logs for each 
+product to track and discover suspicious activity.
+{% /cards_item %}
+
+{% cards_item href="" title="Abuse protection" %}
+Appwrite protects against common abuse methods
+like DoS and brute-force attacks.
+{% /cards_item %}
+
+{% /cards %}
+
+# Reporting vulnerabilities {% #reporting-vulnerabilities %}
+If you discover security vulnerabilities, please contact us at security@appwrite.io.
+Please avoid **posting a public issue** on GitHub or elsewhere online to prevent malicious actors
+from abusing the vulnerabilities before the Appwrite team has chance to patch the issue.
diff --git a/src/routes/docs/advanced/security/abuse-protection/+page.markdoc b/src/routes/docs/advanced/security/abuse-protection/+page.markdoc
@@ -0,0 +1,35 @@
+---
+layout: article
+title: Abuse protection
+description: Learn how Appwrite protects your apps from abuse through rate limiting and cross-site scripting protection.
+---
+Appwrite comes packaged with tools to protect against various forms of abuse, like brute force attacks, data scraping, and many
+other common forms of abuse. 
+
+# Rate limiting {% #rate-limiting %}
+Appwrite uses rate limits on some endpoints to avoid abuse or brute-force attacks against Appwrite's REST API.
+Each Appwrite route documentation has information about any rate limits that might apply to them.
+
+Rate limits limit the number of requests a user or IP can make against an API within a period of time.
+Rate limits help protect against brute force attacks against authentication endpoints and other forms of API
+abuse like [denial of service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack).
+
+{% arrow_link href="/docs/advanced/platform/rate-limits" %}
+Learn more about rate limits
+{% /arrow_link %}
+
+# Cross-origin resource sharing (CORS) {% #CORS %}
+Appwrite limits who can make requests to Appwrite's APIs by default.
+This means that unless your app's domain is added to Appwrite as a platform, requests are rejected.
+By being explicit with the domains that are allowed
+to make requests to your Appwrite project, requests from JavaScript hosted on unknown domains 
+will not be accepted.
+
+You can add new platforms by navigating to **Overview** > **Platforms** > **Add platform**.
+
+{% only_dark %}
+![Add a platform](/images/docs/quick-starts/dark/add-platform.png)
+{% /only_dark %}
+{% only_light %}
+![Add a platform](/images/docs/quick-starts/add-platform.png)
+{% /only_light %}
diff --git a/src/routes/docs/advanced/security/audit-logs/+page.markdoc b/src/routes/docs/advanced/security/audit-logs/+page.markdoc
@@ -0,0 +1,52 @@
+---
+layout: article
+title: Audit logs
+description: Appwrite provides audit logs to help detect anomalies and investigate security incidents.
+---
+
+All Appwrite products, like Authentication, Databases, Storage, Functions, and Messaging, provide detailed audit logs.
+Audit logs are important in detecting and responding to security incidents.
+Through audit logs, you can detect incidents through anomalous activities, 
+trace the source of security incidents, and understand the scope of users affected so you can respond more quickly
+and effectively.
+
+# Access audit logs {% #access-audit-logs %}
+You can access audit logs for different products under the **Activity** tab where applicable.
+Logs are available for collections, documents, and individual users.
+
+{% only_dark %}
+![Project settings screen](/images/docs/advanced/security/dark/activity.png)
+{% /only_dark %}
+{% only_light %}
+![Project settings screen](/images/docs/advanced/security/activity.png)
+{% /only_light %}
+
+# Format {% #format %}
+Audit log entries under the **Activity** tab has the following structure.
+Each entry describes an event.
+
+{% table %}
+* Column
+* Description
+---
+* User
+* Name of the user that performed the event.
+---
+* Event
+* The name of the [event](/docs/advanced/platform/events).
+---
+* Location
+* The physical of the user when they performed the action.
+---
+* IP
+* The IP of the user when they performed an action.
+---
+* Date
+* The date and time of the event.
+{% /table %}
+
+# Retention {% #retention %}
+GDPR data retention rules require any personal data that is collected or processed to be kept 
+only for as long as data are required to achieve the purpose for which the information was collected.
+For this reason, audit logs are retained for only 7 days for Pro organizations and 1 hour 
+for Starter organizations.
diff --git a/src/routes/docs/advanced/security/authentication/+page.markdoc b/src/routes/docs/advanced/security/authentication/+page.markdoc
@@ -0,0 +1,10 @@
+---
+layout: article
+title: Authentication
+description: Learn how Appwrite protects your passwords and helps users pick better passwords.
+---
+
+Appwrite helps you implement secure authentication in your applications by using advanced password hashing to protect passwords in storage. 
+Appwrite also provides tools to help users pick better passwords, making them harder to break.
+
+{% partial file="auth-security.md" /%}
diff --git a/src/routes/docs/advanced/security/backups/+page.markdoc b/src/routes/docs/advanced/security/backups/+page.markdoc
@@ -0,0 +1,14 @@
+---
+layout: article
+title: Backups
+description: Appwrite performs regular data backups to ensure data security. Data must be kept private, but continuously available in the event of malicious attacks, corruption, or accidents.
+---
+
+Preventing downtime and keeping data available is a crucial part to digital security.
+Backups are crucial for:
+- Recovering from accidental deletion of data.
+- Recovering in case of malicious alteration or deletion of data.
+- Reducing downtime in the event of accidental data loss, corruption, or malicious attacks.
+
+Appwrite Cloud uses multiple databases for its products. Some data bases will have access to point-in-time recovery from the past 7 days.
+Other databases performs regular data backups every 4 hours. Each backup is kept for 7 days.
diff --git a/src/routes/docs/advanced/security/encryption/+page.markdoc b/src/routes/docs/advanced/security/encryption/+page.markdoc
@@ -0,0 +1,19 @@
+---
+layout: article
+title: Encryption
+description: Learn about Appwrite's use of encryption across Appwrite's databases and storage buckets to protect user data.
+---
+Other than applying encryption in [authentication](/docs/products/auth/security), [enforcing HTTPS](/docs/advanced/security/https), 
+and [generating TLS certificate for domains](/docs/advanced/security/tls), Appwrite also uses encryption for Storage, and Databases to come.
+Encryption helps secure your files and data in storage. In the event that an attack happens and a malicious actor gains access to files
+or data, encrypted files and data cannot be deciphered, adding a further layer of protection.
+
+## Storage {% #storage %}
+
+For storage, buckets can have its files encrypted. If enabled, files uploaded to the bucket that are smaller than 20MB will be encrypted in the storage provider.
+You can enable encryption by going to your bucket's **Settings** > **Security settings** > toggle **Encryption**.
+Files are encrypted with AES-128 in Galois/Counter Mode (GCM).
+
+## Databases {% #databases %}
+Databases will provide the ability to create encrypted columns. This feature is being actively developed and coming soon.
+Attributes will be encrypted with AES-128 in Galois/Counter Mode (GCM).