akanealw
eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Quality Checks / Backend (Go) (push) Waiting to run
Quality Checks / Frontend (React) (push) Waiting to run
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
WAF integration / Coraza WAF Integration (push) Waiting to run
2.8 KiB
Executable File
2.8 KiB
Executable File
title, labels, type, priority, parent_issue
| title | labels | type | priority | parent_issue | |||
|---|---|---|---|---|---|---|---|
| Issue #365: Additional Security Enhancements - Manual Test Plan |
|
testing | medium | 365 |
Issue #365: Additional Security Enhancements - Manual Test Plan
Issue: https://github.com/Wikid82/Charon/issues/365 PRs: #436, #437 Status: Ready for Manual Testing
Test Scenarios
1. Invite Token Security
Objective: Verify constant-time token comparison doesn't leak timing information.
Steps:
- Create a new user invite via the admin UI
- Copy the invite token from the generated link
- Attempt to accept the invite with the correct token - should succeed
- Attempt to accept with a token that differs only in the last character - should fail with same response time
- Attempt to accept with a completely wrong token - should fail with same response time
Expected: Response times should be consistent regardless of where the token differs.
2. Security Headers Verification
Objective: Verify all security headers are present.
Steps:
- Start Charon with HTTPS enabled
- Use browser dev tools or curl to inspect response headers
- Verify presence of:
Content-Security-PolicyStrict-Transport-Security(with preload)X-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-PolicyPermissions-Policy
curl command:
curl -I https://your-charon-instance.com/
3. Container Hardening (Optional - Production)
Objective: Verify documented container hardening works.
Steps:
- Deploy Charon using the hardened docker-compose config from docs/security.md
- Verify container starts successfully with
read_only: true - Verify all functionality works (proxy hosts, certificates, etc.)
- Verify logs are written to tmpfs mount
4. Documentation Review
Objective: Verify all documentation is accurate and complete.
Pages to Review:
docs/security.md- TLS, DNS, Container Hardening sectionsdocs/security-incident-response.md- SIRP documentdocs/getting-started.md- Security Update Notifications section
Check for:
- Correct code examples
- Working links
- No typos or formatting issues
5. SBOM Generation (CI/CD)
Objective: Verify SBOM is generated on release builds.
Steps:
- Push a commit to trigger a non-PR build
- Check GitHub Actions workflow run
- Verify "Generate SBOM" step completes successfully
- Verify "Attest SBOM" step completes successfully
- Verify attestation is visible in GitHub container registry
Acceptance Criteria
- All test scenarios pass
- No regressions in existing functionality
- Documentation is accurate and helpful
Tester: ________________ Date: ________________ Result: [ ] PASS / [ ] FAIL