CalendarAdvanced uses OWASP ASVS as the baseline for security decisions. This document records the relevant implementation choices and operational limits.
- There is no default user. First-run setup is required before login.
- Passwords are hashed with Argon2id through the system Argon2 library.
- Password policy requires at least 12 characters with lower-case, upper-case, digit and symbol classes.
- Session tokens are generated with
crypto/randand only SHA-256 token hashes are stored in SQLite. - Session cookies are HTTP-only and SameSite Strict.
CALENDAR_COOKIE_SECURE=trueshould be used behind HTTPS.- CSRF tokens are random and compared against the session-bound hash for write requests.
- Password changes, password resets, 2FA changes and reset completion revoke active sessions.
- TOTP uses HMAC-SHA1 with a 30-second step and ±1 step drift allowance.
- Backup codes are random one-time codes and only token hashes are stored.
- Backup-code use is audit logged.
- Disabling 2FA requires the current password.
Server-side role checks are required. The frontend only hides actions for usability.
- Admin: system, users, integrations and global settings.
- Editor: calendars and events.
- Viewer: read-only access.
The application enforces rate limits for setup, login and password reset. Counters are stored in SQLite rate_limits with a periodic cleanup for expired windows, with an in-process fallback when storage is unavailable. The app intentionally uses the direct peer address instead of trusting arbitrary X-Forwarded-For headers. For internet-facing use, keep reverse-proxy rate limits enabled too.
Audit events are written for setup, login, logout, password changes, password resets, 2FA changes, user management, calendar changes, event changes, integrations, exports and backups. Secrets are never logged.
Admins can filter the audit log by action, actor, entity type, time range and search text. Filtered audit entries can be exported as CSV for offline review.
The API middleware sends:
- Content-Security-Policy
- X-Content-Type-Options: nosniff
- Referrer-Policy: no-referrer
- X-Frame-Options: DENY
- Permissions-Policy
JSON backups include app data such as calendars and events. They intentionally exclude password hashes, sessions, reset tokens, TOTP secrets and backup codes.
Attachment metadata is validated against a central upload policy before files are accepted. The policy blocks executable/script extensions, limits files to 10 MB, allows only the configured MIME types and exposes whether a virus-scan hook is configured. Until a scanner integration is wired, the hook status is reported as not_configured.
- CalDAV write operations support VEVENT
PUT/DELETEwith ETag preconditions. Advanced scheduling flows such as attendee inbox/outbox handling remain outside the MVP. - Native libraries
libsqlite3andlibargon2are part of the runtime trust base.