Skip to content

Test Caddy. Integrate and Define Secure Coding Best Practices #44

New issue
New issue
Open
Open
Test Caddy. Integrate and Define Secure Coding Best Practices#44
Labels
good first issueGood for newcomerssecurity
@bbartling

Description

@bbartling
bbartling
opened on Feb 18, 2026

🎯 Goal

Create a security best practices guide for Open-FDD and integrate Trivy into the development lifecycle for dependency and container scanning, plus document and validate our edge-deployment security posture using Caddy (reverse proxy + auth) and TLS with self-signed certificates.

Reference: https://trivy.dev/

🛠 What To Do

  1. Create a new document:

    docs/security/secure-development.md

  2. The document should include:

    1️⃣ Deployment Assumptions (Edge / Behind Firewall)

    • Open-FDD is designed to sit behind a firewall (not publicly exposed)
    • Threat model and what we do / don’t protect against by default
    • Recommended network segmentation (OT/IT boundary guidance)

    2️⃣ Integrating Trivy

    • How to install locally
    • How to run:
      • Filesystem scan
      • Python dependency scan
      • Docker image scan (if applicable)
    • Example CLI commands
    • Suggested GitHub Actions workflow snippet

    3️⃣ Caddy Reverse Proxy + Auth + TLS

    Document and validate:

    • Caddy reverse proxy configuration for FastAPI
    • Auth approach (basic auth / forward auth / SSO if applicable)
    • TLS setup using self-signed certificates
    • How to trust/install the CA on a developer machine for testing
    • Verification steps:
      • Confirm requests fail without auth
      • Confirm TLS is negotiated
      • Confirm FastAPI is not directly reachable except through Caddy (where applicable)

    4️⃣ Security Testing Checklist

    Include a practical checklist such as:

    • TLS verification (curl -v, browser check, cert chain check)
    • Auth verification (401/403 behaviors)
    • CORS expectations (if UI exists)
    • Rate limiting / request limits at proxy (if enabled)
    • Logging/audit expectations

    5️⃣ Additional Recommended Tools

    Examples:

    • Bandit (Python security linting)
    • pip-audit
    • Dependabot
    • Pre-commit hooks
    • Container hardening recommendations

    6️⃣ Open-FDD Hardening Recommendations

    Suggested areas to evaluate:

    • Input validation in FastAPI endpoints
    • Authentication & role-based access (especially for “run faults now”)
    • Protecting API keys and credentials (never commit secrets)
    • Docker least-privilege principles
    • Logging and audit trail practices

  3. (Optional Bonus)

    • Add a basic GitHub Actions workflow that runs Trivy on push and fails on HIGH/CRITICAL vulnerabilities.
    • Add a minimal example Caddyfile in docs/security/ or examples/ to support the guide.

📎 Deliverable

  • docs/security/secure-development.md
  • Clear, actionable guidance
  • Includes Trivy usage + CI suggestion
  • Includes Caddy auth + self-signed TLS testing steps
  • At least 3 additional recommended tools beyond Trivy
  • At least 5 concrete Open-FDD security improvement suggestions

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueGood for newcomerssecurity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions