Skip to content

Release 2025.07: Security Hardening and Flask-Session Migration

Choose a tag to compare

View all tags
@cubinet-code cubinet-code released this 03 Jul 17:15
· 3 commits to main since this release
2025.07
9c2c9e7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security Enhancements

Input Validation and CSRF Protection

  • Input Validation: Added comprehensive validation for RADIUS standards (63 char username, 128 char password limits)
  • Character Validation: Username restricted to alphanumeric, @, ., _, - characters only
  • CSRF Protection: All forms now protected with Flask-WTF CSRF tokens
  • Security Headers: Added CSP, X-Frame-Options, HSTS, X-XSS-Protection, and more

X-Forwarded-For Security

  • IP Spoofing Prevention: Configurable FORWARDED_ALLOW_IPS to restrict trusted proxy sources
  • Production Security: Enhanced documentation for proper reverse proxy configuration
  • Container Support: Kubernetes/Docker deployment examples with proper IP restrictions

Technical Improvements

Flask-Session Migration

  • Deprecated Backend Fix: Migrated from deprecated filesystem backend to CacheLib
  • Modern Session Storage: Using FileSystemCache with 500 item threshold
  • Performance: Improved session handling and storage management

Enhanced Logging and Error Handling

  • Circuit Breaker Logging: Detailed RADIUS server failure tracking with server identification
  • Security Event Logging: Authentication failures, validation errors, and CSRF violations
  • Missing Attribute Handling: Graceful UUID fallback for missing RADIUS Class attributes
  • Troubleshooting: Enhanced error messages with context for easier debugging

Form and Template Improvements

  • WTForms Integration: Complete refactor to use WTForms for validation and rendering
  • Separate Forms: Distinct forms for login, logout, and session extension with proper CSRF protection
  • User Experience: Better error messages and validation feedback

Documentation Updates

Security Configuration Guide

  • X-Forwarded-For Configuration: Comprehensive examples for different deployment scenarios
  • Input Validation: Detailed explanation of RADIUS standards compliance
  • Troubleshooting: New section covering security errors and common issues

Dependencies and Configuration

  • Updated Requirements: New security packages (Flask-WTF, WTForms, cachelib)
  • Configuration Examples: Updated config templates with modern session backend
  • Environment Variables: Enhanced documentation for production deployment

Testing and Quality Assurance

  • Test Suite Updates: Fixed tests to work with CSRF protection and new validation
  • Configuration Isolation: Proper test environment with disabled CSRF for testing
  • Validation Testing: Comprehensive test coverage for input validation scenarios

Addresses GitHub issue #1

Assets 2
Loading