sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
beef3ce76b955877ec999f1d84d40ba623bfb96d
orion/.security-rules/authentication.yaml
Samir Boulahtit 26b3dc9e3b feat: add unified code quality dashboard with multiple validators 
- Add validator_type field to scans and violations (architecture,
  security, performance)
- Create security validator with SEC-xxx rules
- Create performance validator with PERF-xxx rules
- Add base validator class for shared functionality
- Add validate_all.py script to run all validators
- Update code quality service with validator type filtering
- Add validator type tabs to dashboard UI
- Add validator type filter to violations list
- Update stats response with per-validator breakdown
- Add security and performance rules documentation
- Add chat-bubble icons to icon library

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 20:57:47 +01:00

71 lines
1.9 KiB
YAML
Raw Blame History

# Authentication Security Rules
# =============================
authentication_rules:
- id: SEC-001
name: No hardcoded credentials
severity: error
description: >
Credentials must never be hardcoded in source code.
Use environment variables or secret management.
- id: SEC-002
name: JWT expiry enforcement
severity: error
description: >
All JWT tokens must have expiration claims.
Access tokens should expire in 15-60 minutes.
- id: SEC-003
name: Password hashing required
severity: error
description: >
Passwords must be hashed using bcrypt, argon2, or scrypt.
Never store or compare passwords in plain text.
- id: SEC-004
name: Session regeneration after auth
severity: warning
description: >
Session IDs should be regenerated after authentication
to prevent session fixation attacks.
- id: SEC-005
name: Brute force protection
severity: warning
description: >
Login endpoints should implement rate limiting
or account lockout after failed attempts.
- id: SEC-006
name: Secure password reset
severity: warning
description: >
Password reset tokens must be cryptographically random,
expire within 1 hour, and be single-use.
- id: SEC-007
name: Authentication on sensitive endpoints
severity: error
description: >
All endpoints except public ones must require authentication.
- id: SEC-008
name: Token in Authorization header
severity: warning
description: >
JWT tokens should be sent in Authorization header,
not in URL parameters.
- id: SEC-009
name: Logout invalidates tokens
severity: warning
description: >
Logout should invalidate or blacklist tokens.
- id: SEC-010
name: Multi-factor authentication support
severity: info
description: >
Consider implementing MFA for sensitive operations.
Reference in New Issue View Git Blame Copy Permalink