docs(security): STRIDE threat-model coverage matrix#23
Merged
Conversation
New docs/threat-model.md enumerates 16 threats across STRIDE with one row each linking the mitigation to code, test, and (where applicable) runbook. Closes T1.4 from misc/next-steps.md and turns "we thought about this" into a reviewable artifact. Includes an honest out-of-scope section (IdP compromise, browser XSS, MITM with TLS verify off, side-channel timing, post-quantum, operator-bypass-of-PROD_MODE, per-mount RBAC) so future work can pick up gaps explicitly rather than assuming coverage. Closing section names how to keep the doc in sync during review: when an auth/authz path changes, the matrix row's Mitigation column must keep matching the code, or the row needs a doc update in the same PR. Cross-linked from README "Standards conformance" section, from specs.md companion-docs line at the top, and from main.go's /register rate-limit constant comment (row 1 is the load-bearing DCR-abuse mitigation).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes T1.4 from
misc/next-steps.md. Newdocs/threat-model.mdenumerates 16 threats across STRIDE with one row each linking the mitigation to code, test, and (where applicable) runbook. Turns "we thought about this" into a reviewable, auditable artifact.Coverage
id_tokenclaim-shape drift, IdP error_description phishing (S+I)Honest scope boundaries
Out-of-scope section names what the proxy explicitly does NOT defend against (IdP compromise, browser XSS, MITM-with-TLS-off, side-channel timing, post-quantum, operator-bypass-of-
PROD_MODE, per-mount RBAC). Listed so future work picks up gaps explicitly rather than assuming coverage.Live document, not write-once
Closing section ("How to use this document during review") names the discipline: when an auth/authz path changes, the matrix row's Mitigation column must keep matching the code or the row gets updated in the same PR. The matrix is the artifact a security reviewer or auditor reads first.
Cross-references
README.md"Standards conformance" section.specs.mdtop-of-doc companion-docs line.main.go/registerrate-limit constant carries a comment pointing at row 1 (DCR abuse) so a future reader changing the value sees the cross-reference.Test plan
main.gocomment).client_namecontrol-byte strip at DCR (handlers/register.go:109),PROD_MODEviolation list (config/config.go:415-450),FamilyIssuedAt+REVOKE_BEFOREapply to access AND refresh (middleware/auth.go:164,handlers/token.go:354), fragment-bearing redirect URIs rejected at DCR (handlers/register.go:153).