akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
70bd60dbce5c5a333418e2a18e02b2d5511c8d46
Charon/docs/issues/created/20251221-issue-365-manual-test-plan.md
github-actions[bot] 72899cd278 chore: move processed issue files to created/ [skip ci]
2025-12-21 20:05:27 +00:00

111 lines
2.8 KiB
Markdown
Raw Blame History

---
title: "Issue #365: Additional Security Enhancements - Manual Test Plan"
labels:
- manual-testing
- security
- testing
type: testing
priority: medium
parent_issue: 365
---
# Issue #365: Additional Security Enhancements - Manual Test Plan
**Issue**: https://github.com/Wikid82/Charon/issues/365
**PRs**: #436, #437
**Status**: Ready for Manual Testing
---
## Test Scenarios
### 1. Invite Token Security
**Objective**: Verify constant-time token comparison doesn't leak timing information.
**Steps**:
1. Create a new user invite via the admin UI
2. Copy the invite token from the generated link
3. Attempt to accept the invite with the correct token - should succeed
4. Attempt to accept with a token that differs only in the last character - should fail with same response time
5. Attempt to accept with a completely wrong token - should fail with same response time
**Expected**: Response times should be consistent regardless of where the token differs.
---
### 2. Security Headers Verification
**Objective**: Verify all security headers are present.
**Steps**:
1. Start Charon with HTTPS enabled
2. Use browser dev tools or curl to inspect response headers
3. Verify presence of:
- `Content-Security-Policy`
- `Strict-Transport-Security` (with preload)
- `X-Frame-Options: DENY`
- `X-Content-Type-Options: nosniff`
- `Referrer-Policy`
- `Permissions-Policy`
**curl command**:
```bash
curl -I https://your-charon-instance.com/
```
---
### 3. Container Hardening (Optional - Production)
**Objective**: Verify documented container hardening works.
**Steps**:
1. Deploy Charon using the hardened docker-compose config from docs/security.md
2. Verify container starts successfully with `read_only: true`
3. Verify all functionality works (proxy hosts, certificates, etc.)
4. Verify logs are written to tmpfs mount
---
### 4. Documentation Review
**Objective**: Verify all documentation is accurate and complete.
**Pages to Review**:
- [ ] `docs/security.md` - TLS, DNS, Container Hardening sections
- [ ] `docs/security-incident-response.md` - SIRP document
- [ ] `docs/getting-started.md` - Security Update Notifications section
**Check for**:
- Correct code examples
- Working links
- No typos or formatting issues
---
### 5. SBOM Generation (CI/CD)
**Objective**: Verify SBOM is generated on release builds.
**Steps**:
1. Push a commit to trigger a non-PR build
2. Check GitHub Actions workflow run
3. Verify "Generate SBOM" step completes successfully
4. Verify "Attest SBOM" step completes successfully
5. Verify attestation is visible in GitHub container registry
---
## Acceptance Criteria
- [ ] All test scenarios pass
- [ ] No regressions in existing functionality
- [ ] Documentation is accurate and helpful
---
**Tester**: ________________
**Date**: ________________
**Result**: [ ] PASS / [ ] FAIL
Reference in New Issue View Git Blame Copy Permalink