| Version | Supported |
|---|---|
| latest | ✅ |
I take security seriously. If you discover a security vulnerability in WebSSH, please report it responsibly.
Please do NOT open a public GitHub issue for security vulnerabilities.
Instead, report vulnerabilities via:
- Email: dwight@scranton.de
- GitHub Security Advisories: Report a vulnerability
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 30 days (depending on complexity)
- Please give me reasonable time to fix the issue before public disclosure
- I will credit reporters in the release notes (unless you prefer to stay anonymous)
| Feature | Implementation |
|---|---|
| Password Hashing | bcrypt with auto-generated salt |
| Session Management | Flask-Login with secure cookies |
| WebSocket Auth | Session-based with ownership verification |
| CSRF Protection | Flask-WTF tokens on all forms |
| Rate Limiting | 5 login attempts per minute per IP |
| Data | Protection |
|---|---|
| SSH Private Keys | Encrypted at rest using Fernet (AES-128-CBC + HMAC) |
| Key Derivation | PBKDF2-SHA256 with 600,000 iterations |
| Per-User Isolation | Keys derived from SECRET_KEY + user_id |
| File Permissions | Keys stored with 0600, directories with 0700 |
| Feature | Implementation |
|---|---|
| Security Headers | CSP, X-Frame-Options (DENY), X-Content-Type-Options, HSTS |
| CORS | Configurable, defaults to localhost only |
| WebSocket | Authenticated, room-based isolation per user |
| Reverse Proxy | ProxyFix support via TRUSTED_PROXIES |
| Feature | Implementation |
|---|---|
| Host Key Verification | Trust-on-First-Use (TOFU) with persistent storage |
| Host Key Logging | New keys logged with fingerprint for audit |
| Connection Isolation | Session ownership verified on every operation |
| Credential Handling | Cleared from memory after use |
-
Set a strong SECRET_KEY
export SECRET_KEY=$(openssl rand -hex 32)
-
Use TLS - Deploy behind a reverse proxy with HTTPS
-
Set specific CORS origins
export CORS_ORIGINS=https://your-domain.com
-
Enable TRUSTED_PROXIES when behind a reverse proxy
export TRUSTED_PROXIES=1 -
Restrict network access - Don't expose directly to the internet without protection
-
Regular updates - Keep the container image updated
The Docker image runs as non-root user (appuser) with:
- Restricted file permissions (0700 on data directories)
- No unnecessary capabilities
- Health check enabled
| Limitation | Description | Mitigation |
|---|---|---|
| In-Memory Rate Limiting | Bypassed with multiple workers | Use single worker (default) |
| TOFU Host Keys | First connection auto-accepted | Review logs for new host keys |
| No MFA | Single-factor authentication only | Use strong passwords, restrict network access |
| No LDAP/SSO | Local accounts only | Planned for future release |
This project has not undergone a formal third-party security audit. The code has been reviewed with security best practices in mind, but use in high-security environments should include additional review.
Security-relevant changes will be documented in release notes with the [SECURITY] tag.