# ๐Ÿ“‹ Plan: Complete Beta Release โ€” Handler Coverage, Security Dashboard UX, and Zero-Day Defense **Date:** December 4, 2025 **Branch:** `feature/beta-release` **Status:** Ready for Implementation --- ## ๐Ÿง UX & Context Analysis ### Current State Summary **โœ… COMPLETED WORK:** - Certificate handler backup-before-delete: โœ… Implemented & Tested - Break-glass token generation/verification: โœ… Implemented & Tested - Security Dashboard: โœ… Basic implementation exists ([Security.tsx](../frontend/src/pages/Security.tsx)) - Coraza WAF integration: โœ… Completed (recent sidetrack work) - Loading overlays: โœ… Completed (recent sidetrack work) **๐Ÿ“Š CURRENT COVERAGE:** - Backend handlers: **73.8%** (target: โ‰ฅ80%) - Backend services: **80.7%** โœ… - Backend models: **97.2%** โœ… - Backend caddy: **99.9%** โœ… **๐Ÿšจ REMAINING GAPS:** 1. Handler test coverage below 80% threshold 2. Security Dashboard cards not in pipeline order 3. Missing zero-day protection explanation in docs 4. Frontend TypeScript errors and test coverage incomplete --- ### User Experience Goals **Security Dashboard Improvements:** 1. **Pipeline Order Cards** โ€” Users need to see security components in the order they execute: - **Card 1: CrowdSec** (IP Reputation โ€” first line of defense) - **Card 2: Access Control (ACL)** (IP/Geo Allow/Deny โ€” second filter) - **Card 3: WAF (Coraza)** (Request Inspection โ€” third filter) - **Card 4: Rate Limiting** (Volume Control โ€” final filter) 2. **Zero-Day Protection Visibility** โ€” Users need to understand: - "Does this protect me against zero-day exploits?" - "What security threats am I covered for?" - Enterprise-level messaging for novice users **Testing & Quality Goals:** - All handlers โ‰ฅ80% coverage - Frontend builds without TypeScript errors - All tests pass in CI/CD pipeline --- ## ๐Ÿค Handoff Contract (The Truth) ### Backend: No New API Changes Required All security APIs already exist. This work focuses on: - **Testing:** Increase handler test coverage - **No code changes to handlers unless fixing bugs** ### Frontend: Card Reordering + Enhanced Messaging **Current Card Order (Security.tsx):** ```tsx // CURRENT (Wrong โ€” not pipeline order): 1. CrowdSec 2. WAF 3. ACL 4. Rate Limiting ``` **Required Card Order (Pipeline Execution Sequence):** ```tsx // REQUIRED (Correct โ€” matches execution pipeline): 1. CrowdSec // IP reputation check (first) 2. ACL // IP/Geo filtering (second) 3. WAF // Request payload inspection (third) 4. Rate Limiting // Volume control (fourth) ``` Update order under Security header on the sidebar to reflect pipeline order as well. **Enhanced Card Content:** Each card should include: - Current toggle + status (already exists) - **NEW:** Pipeline position indicator (e.g., "๐Ÿ›ก๏ธ Layer 1: IP Reputation") - **NEW:** Threat protection summary (e.g., "Protects against: Known attackers, botnets") --- ## ๐Ÿ—๏ธ Phase 1: Backend Implementation (Go) ### Task 1.1: Increase Handler Test Coverage to โ‰ฅ80% **Target Files (Current Coverage Below 80%):** 1. **[proxy_host_handler.go](../../backend/internal/api/handlers/proxy_host_handler.go)** (54%/41% Create/Update) - Add tests for: - Invalid domain format - Duplicate domain creation - Update with conflicting domains - Proxy host with missing upstream - Docker container auto-discovery edge cases 2. **[certificate_handler.go](../../backend/internal/api/handlers/certificate_handler.go)** (Upload handler low coverage) - Add tests for: - Upload success with valid PEM cert + key - Upload with invalid PEM format - Upload with cert/key mismatch - Upload with expired certificate - Upload when disk space low 3. **[security_handler.go](../../backend/internal/api/handlers/security_handler.go)** (48-60% on Upsert/DeleteRuleSet/Enable/Disable) - Add tests for: - Upsert ruleset with invalid content - Delete ruleset when in use by security config - Enable Cerberus without admin whitelist (should fail) - Disable Cerberus with invalid break-glass token - Verify break-glass token expiration 4. **[import_handler.go](../../backend/internal/api/handlers/import_handler.go)** (DetectImports, UploadMulti, commit flows) - Add tests for: - DetectImports with malformed Caddyfile - UploadMulti with oversized file - Commit import with partial failure rollback - Import session cleanup on error 5. **[crowdsec_handler.go](../../backend/internal/api/handlers/crowdsec_handler.go)** (ReadFile, WriteFile) - Add tests for: - ReadFile with path traversal attempt (sanitization check) - WriteFile with invalid YAML content - WriteFile when CrowdSec service not running 6. **[uptime_handler.go](../../backend/internal/api/handlers/uptime_handler.go)** (Sync, Delete, GetHistory edge cases) - Add tests for: - Sync when uptime service unreachable - Delete monitor that doesn't exist - GetHistory with invalid time range **Success Criteria:** ```bash cd /projects/Charon/backend go test ./internal/api/handlers -coverprofile=handlers.cover go tool cover -func=handlers.cover | grep "total:" | awk '{print $3}' # Output: โ‰ฅ80.0% ``` ### Task 1.2: Run Pre-commit & Fix Any Linting Issues ```bash cd /projects/Charon .venv/bin/pre-commit run --all-files ``` If errors occur, fix immediately per `.github/copilot-instructions.md` Task Completion Protocol. --- ## ๐ŸŽจ Phase 2: Frontend Implementation (React) ### Task 2.1: Reorder Security Dashboard Cards (Pipeline Sequence) **File:** [frontend/src/pages/Security.tsx](../../frontend/src/pages/Security.tsx) **Current Structure (lines ~300-450):** ```tsx
{/* CrowdSec */} ... {/* WAF */} ... {/* ACL */} ... {/* Rate Limiting */} ...
``` **Required Change:** - Swap **ACL** and **WAF** card order to match pipeline execution - Add pipeline layer indicators to each card **New Order:** ```tsx
{/* CrowdSec - Layer 1 */}
๐Ÿ›ก๏ธ Layer 1: IP Reputation
{/* existing card content */} {/* ACL - Layer 2 */}
๐Ÿ”’ Layer 2: Access Control
{/* existing card content */} {/* WAF - Layer 3 */}
๐Ÿ›ก๏ธ Layer 3: Request Inspection
{/* existing card content */} {/* Rate Limiting - Layer 4 */}
โšก Layer 4: Volume Control
{/* existing card content */}
``` ### Task 2.2: Add Threat Protection Summary to Each Card **Enhance card descriptions with specific threat coverage:** **CrowdSec Card:** ```tsx

{status.crowdsec.enabled ? `Protects against: Known attackers, botnets, brute-force attempts` : 'Intrusion Prevention System'}

``` **ACL Card:** ```tsx

Protects against: Unauthorized IPs, geo-based attacks, insider threats

``` **WAF Card:** ```tsx

{status.waf.enabled ? `Protects against: SQL injection, XSS, RCE, zero-day exploits*` : 'Web Application Firewall'}

``` **Rate Limiting Card:** ```tsx

Protects against: DDoS attacks, credential stuffing, API abuse

``` ### Task 2.3: Fix Frontend TypeScript Errors & Tests ```bash cd /projects/Charon/frontend npm run type-check # Fix all errors npm test # Ensure all tests pass ``` **Common issues to address:** - Unused imports (already fixed in `CertificateList.test.tsx`) - Missing test coverage for Security.tsx - API client type mismatches --- ## ๐Ÿ•ต๏ธ Phase 3: Zero-Day Protection Analysis & Documentation ### Zero-Day Protection Assessment **Question:** Do our security offerings help protect against zero-day vulnerabilities? **Answer:** โœ… **YES โ€” Limited Protection** via WAF (Coraza) **How It Works:** 1. **WAF with OWASP Core Rule Set (CRS):** - Detects **common attack patterns** even for zero-day exploits - Example: A zero-day SQLi exploit still uses SQL syntax patterns โ†’ WAF blocks it - **Detection-Only Mode:** Logs suspicious requests without blocking (safe for testing) - **Blocking Mode:** Actively prevents exploitation attempts 2. **CrowdSec (Limited Zero-Day Protection):** - Only protects against zero-days **after** first exploitation in the wild - Crowd-sourced intelligence: If attacker hits one CrowdSec user, all users get protection - **Time Gap:** Hours to days between first exploitation and crowd-sourced blocklist update 3. **ACLs (No Zero-Day Protection):** - Static rules only - Cannot detect unknown exploits 4. **Rate Limiting (Indirect Protection):** - Slows down automated exploit attempts - Doesn't prevent zero-days but limits blast radius **What We DON'T Protect Against:** - โŒ Zero-days in application code itself (need code audits + patching) - โŒ Zero-days in underlying services (Docker, Linux kernel) โ€” need OS updates - โŒ Logic bugs in business workflows - โŒ Social engineering attacks --- ### Additional Security Threats to Consider **1. Supply Chain Attacks** - **Threat:** Compromised Docker images, npm packages, Go modules - **Current Protection:** โŒ None - **Recommendation:** Add Trivy scanning (already in CI) + SBOM generation **2. DNS Hijacking / Cache Poisoning** - **Threat:** Attacker redirects DNS queries to malicious servers - **Current Protection:** โŒ None (relies on system DNS resolver) - **Recommendation:** Document use of encrypted DNS (DoH/DoT) in deployment guide **3. TLS Downgrade Attacks** - **Threat:** Force clients to use weak TLS versions - **Current Protection:** โœ… Caddy enforces TLS 1.2+ by default - **Recommendation:** Document minimum TLS version in security.md **4. Certificate Transparency (CT) Log Poisoning** - **Threat:** Attacker registers fraudulent certs for your domains - **Current Protection:** โŒ None - **Recommendation:** Add CT log monitoring (future feature) **5. Privilege Escalation (Container Escape)** - **Threat:** Attacker escapes Docker container to host OS - **Current Protection:** โš ๏ธ Partial (Docker security best practices) - **Recommendation:** Document running with least-privilege, read-only root filesystem **6. Session Hijacking / Cookie Theft** - **Threat:** Steal user session tokens via XSS or network sniffing - **Current Protection:** โœ… HTTPOnly cookies, Secure flag, SameSite (verify implementation) - **Recommendation:** Add CSP (Content Security Policy) headers **7. Timing Attacks (Cryptographic Side-Channel)** - **Threat:** Infer secrets by measuring response times - **Current Protection:** โŒ Unknown (need bcrypt timing audit) - **Recommendation:** Use constant-time comparison for tokens **Enterprise-Level Security Gaps:** - **Missing:** Security Incident Response Plan (SIRP) - **Missing:** Automated security update notifications - **Missing:** Multi-factor authentication (MFA) for admin accounts - **Missing:** Audit logging for compliance (GDPR, SOC 2) --- ## ๐Ÿ“š Phase 4: Documentation Updates ### Task 4.1: Update docs/features.md **Add new section after "Block Bad Behavior":** ```markdown ### Zero-Day Exploit Protection **What it does:** The WAF (Web Application Firewall) can detect and block many zero-day exploits before they reach your apps. **Why you care:** Even if a brand-new vulnerability is discovered in your software, the WAF might catch it by recognizing the attack pattern. **How it works:** - Attackers use predictable patterns (SQL syntax, JavaScript tags, command injection) - The WAF inspects every request for these patterns - If detected, the request is blocked or logged (depending on mode) **What you do:** 1. Enable WAF in "Monitor" mode first (logs only, doesn't block) 2. Review logs for false positives 3. Switch to "Block" mode when ready **Limitations:** - Only protects against **web-based** exploits (HTTP/HTTPS traffic) - Does NOT protect against zero-days in Docker, Linux, or Charon itself - Does NOT replace regular security updates **Learn more:** [OWASP Core Rule Set](https://coreruleset.org/) ``` ### Task 4.2: Update docs/security.md **Add new section after "Common Questions":** ```markdown ## Zero-Day Protection ### What We Protect Against **Web Application Exploits:** - โœ… SQL Injection (SQLi) โ€” even zero-days using SQL syntax - โœ… Cross-Site Scripting (XSS) โ€” new XSS vectors caught by pattern matching - โœ… Remote Code Execution (RCE) โ€” command injection patterns - โœ… Path Traversal โ€” attempts to read system files - โš ๏ธ CrowdSec โ€” protects hours/days after first exploitation (crowd-sourced) **How It Works:** The WAF (Coraza) uses the OWASP Core Rule Set to detect attack patterns. Even if the exploit is brand new, the *pattern* is usually recognizable. **Example:** A zero-day SQLi exploit discovered today: ``` https://yourapp.com/search?q=' OR '1'='1 ``` - **Pattern:** `' OR '1'='1` matches SQL injection signature - **Action:** WAF blocks request โ†’ attacker never reaches your database ### What We DON'T Protect Against - โŒ Zero-days in Charon itself (keep Charon updated) - โŒ Zero-days in Docker, Linux kernel (keep OS updated) - โŒ Logic bugs in your application code (need code reviews) - โŒ Insider threats (need access controls + auditing) - โŒ Social engineering (need user training) ### Recommendation: Defense in Depth 1. **Enable all Cerberus layers:** - CrowdSec (IP reputation) - ACLs (restrict access by geography/IP) - WAF (request inspection) - Rate Limiting (slow down attacks) 2. **Keep everything updated:** - Charon (watch GitHub releases) - Docker images (rebuild regularly) - Host OS (enable unattended-upgrades) 3. **Monitor security logs:** - Check "Security โ†’ Decisions" weekly - Set up alerts for high block rates This gives you **enterprise-level protection** even as a novice user. You set it once, and Charon handles the rest automatically. ``` ### Task 4.3: Update docs/cerberus.md **Add new section after "Architecture":** ```markdown ## Threat Model & Protection Coverage ### What Cerberus Protects | Threat Category | CrowdSec | ACL | WAF | Rate Limit | |-----------------|----------|-----|-----|------------| | Known attackers (IP reputation) | โœ… | โŒ | โŒ | โŒ | | Geo-based attacks | โŒ | โœ… | โŒ | โŒ | | SQL Injection (SQLi) | โŒ | โŒ | โœ… | โŒ | | Cross-Site Scripting (XSS) | โŒ | โŒ | โœ… | โŒ | | Remote Code Execution (RCE) | โŒ | โŒ | โœ… | โŒ | | **Zero-Day Web Exploits** | โš ๏ธ | โŒ | โœ… | โŒ | | DDoS / Volume attacks | โŒ | โŒ | โŒ | โœ… | | Brute-force login attempts | โœ… | โŒ | โŒ | โœ… | | Credential stuffing | โœ… | โŒ | โŒ | โœ… | **Legend:** - โœ… Full protection - โš ๏ธ Partial protection (time-delayed) - โŒ Not designed for this threat ### Zero-Day Exploit Protection (WAF) The WAF provides **pattern-based detection** for zero-day exploits: **How It Works:** 1. Attacker discovers new vulnerability (e.g., SQLi in your login form) 2. Attacker crafts exploit: `' OR 1=1--` 3. WAF inspects request โ†’ matches SQL injection pattern โ†’ **BLOCKED** 4. Your application never sees the malicious input **Limitations:** - Only protects HTTP/HTTPS traffic - Cannot detect completely novel attack patterns (rare) - Does not protect against logic bugs in application code **Effectiveness:** - **~90% of zero-day web exploits** use known patterns (SQLi, XSS, RCE) - **~10% are truly novel** and may bypass WAF until rules are updated ### Request Processing Pipeline ``` 1. [CrowdSec] Check IP reputation โ†’ Block if known attacker 2. [ACL] Check IP/Geo rules โ†’ Block if not allowed 3. [WAF] Inspect request payload โ†’ Block if malicious pattern 4. [Rate Limit] Count requests โ†’ Block if too many 5. [Proxy] Forward to upstream service ``` **Key Insight:** Layered defense means even if one layer fails, others still protect. ``` --- ## ๐Ÿงช Phase 5: QA & Security Testing ### Test Scenarios **1. Security Dashboard Card Order:** - โœ… Visual inspection: Cards appear in pipeline order (CrowdSec โ†’ ACL โ†’ WAF โ†’ Rate Limit) - โœ… Layer indicators visible on each card - โœ… Threat protection summaries display correctly **2. Handler Coverage:** ```bash cd /projects/Charon/backend go test ./internal/api/handlers -coverprofile=handlers.cover go tool cover -func=handlers.cover # Verify all handlers โ‰ฅ80% coverage ``` **3. Frontend Build:** ```bash cd /projects/Charon/frontend npm run type-check # Zero errors npm test # All tests pass npm run build # Successful build ``` **4. Pre-commit Hooks:** ```bash cd /projects/Charon .venv/bin/pre-commit run --all-files # All hooks pass ``` **5. Integration Test:** ```bash cd /projects/Charon bash scripts/coraza_integration.sh # WAF integration test passes ``` **6. Zero-Day Protection Manual Test:** 1. Enable WAF in "block" mode 2. Send request: `curl http://localhost:8080/api/v1/proxy-hosts?search=` 3. Verify response: `403 Forbidden` + logged in Security Decisions 4. Check WAF metrics: `charon_waf_blocked_total` increments --- ## ๐Ÿ“‹ Implementation Checklist ### Backend - [ ] Add handler tests for `proxy_host_handler.go` (Create/Update flows) - [ ] Add handler tests for `certificate_handler.go` (Upload success/errors) - [ ] Add handler tests for `security_handler.go` (Upsert/Delete/Enable/Disable) - [ ] Add handler tests for `import_handler.go` (DetectImports, UploadMulti, commit) - [ ] Add handler tests for `crowdsec_handler.go` (ReadFile/WriteFile edge cases) - [ ] Add handler tests for `uptime_handler.go` (Sync/Delete/GetHistory errors) - [ ] Run `go test ./internal/api/handlers -coverprofile=handlers.cover` โ†’ Verify โ‰ฅ80% - [ ] Run `pre-commit run --all-files` โ†’ Fix any errors ### Frontend - [ ] Reorder Security Dashboard cards (CrowdSec โ†’ ACL โ†’ WAF โ†’ Rate Limit) - [ ] Add pipeline layer indicators (`๐Ÿ›ก๏ธ Layer 1: IP Reputation`, etc.) - [ ] Add threat protection summaries to each card - [ ] Run `npm run type-check` โ†’ Fix all TypeScript errors - [ ] Run `npm test` โ†’ Ensure all tests pass - [ ] Run `npm run build` โ†’ Verify successful build ### Documentation - [ ] Update `docs/features.md` โ†’ Add "Zero-Day Exploit Protection" section - [ ] Update `docs/security.md` โ†’ Add "Zero-Day Protection" section - [ ] Update `docs/cerberus.md` โ†’ Add "Threat Model & Protection Coverage" section - [ ] Update `docs/cerberus.md` โ†’ Add "Request Processing Pipeline" diagram ### QA & Testing - [ ] Visual test: Security Dashboard card order correct - [ ] Backend coverage: All handlers โ‰ฅ80% - [ ] Frontend: Zero TypeScript errors - [ ] Integration test: `bash scripts/coraza_integration.sh` passes - [ ] Manual test: WAF blocks `