akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
834f59318dce0fd098c1cd3f251531aee94fd310
Charon/docs/issues/issue-365-manual-test-plan.md

2.8 KiB
Raw Blame History

title, labels, type, priority, parent_issue
title labels type priority parent_issue
Issue #365: Additional Security Enhancements - Manual Test Plan
manual-testing
security
testing
testing medium 365

Issue #365: Additional Security Enhancements - Manual Test Plan

Issue: https://github.com/Wikid82/Charon/issues/365 PRs: #436, #437 Status: Ready for Manual Testing

Test Scenarios

1. Invite Token Security

Objective: Verify constant-time token comparison doesn't leak timing information.

Steps:

  1. Create a new user invite via the admin UI
  2. Copy the invite token from the generated link
  3. Attempt to accept the invite with the correct token - should succeed
  4. Attempt to accept with a token that differs only in the last character - should fail with same response time
  5. Attempt to accept with a completely wrong token - should fail with same response time

Expected: Response times should be consistent regardless of where the token differs.

2. Security Headers Verification

Objective: Verify all security headers are present.

Steps:

  1. Start Charon with HTTPS enabled
  2. Use browser dev tools or curl to inspect response headers
  3. Verify presence of:
    • Content-Security-Policy
    • Strict-Transport-Security (with preload)
    • X-Frame-Options: DENY
    • X-Content-Type-Options: nosniff
    • Referrer-Policy
    • Permissions-Policy

curl command:

curl -I https://your-charon-instance.com/

3. Container Hardening (Optional - Production)

Objective: Verify documented container hardening works.

Steps:

  1. Deploy Charon using the hardened docker-compose config from docs/security.md
  2. Verify container starts successfully with read_only: true
  3. Verify all functionality works (proxy hosts, certificates, etc.)
  4. Verify logs are written to tmpfs mount

4. Documentation Review

Objective: Verify all documentation is accurate and complete.

Pages to Review:

  • docs/security.md - TLS, DNS, Container Hardening sections
  • docs/security-incident-response.md - SIRP document
  • docs/getting-started.md - Security Update Notifications section

Check for:

  • Correct code examples
  • Working links
  • No typos or formatting issues

5. SBOM Generation (CI/CD)

Objective: Verify SBOM is generated on release builds.

Steps:

  1. Push a commit to trigger a non-PR build
  2. Check GitHub Actions workflow run
  3. Verify "Generate SBOM" step completes successfully
  4. Verify "Attest SBOM" step completes successfully
  5. Verify attestation is visible in GitHub container registry

Acceptance Criteria

  • All test scenarios pass
  • No regressions in existing functionality
  • Documentation is accurate and helpful

Tester: ________________ Date: ________________ Result: [ ] PASS / [ ] FAIL

Reference in New Issue View Git Blame Copy Permalink