Skip to content

Security: ichwars/CalendarAdvanced

Security

docs/security.md

Security

CalendarAdvanced uses OWASP ASVS as the baseline for security decisions. This document records the relevant implementation choices and operational limits.

Identity and sessions

  • There is no default user. First-run setup is required before login.
  • Passwords are hashed with Argon2id through the system Argon2 library.
  • Password policy requires at least 12 characters with lower-case, upper-case, digit and symbol classes.
  • Session tokens are generated with crypto/rand and only SHA-256 token hashes are stored in SQLite.
  • Session cookies are HTTP-only and SameSite Strict.
  • CALENDAR_COOKIE_SECURE=true should be used behind HTTPS.
  • CSRF tokens are random and compared against the session-bound hash for write requests.
  • Password changes, password resets, 2FA changes and reset completion revoke active sessions.

Two-factor authentication

  • TOTP uses HMAC-SHA1 with a 30-second step and ±1 step drift allowance.
  • Backup codes are random one-time codes and only token hashes are stored.
  • Backup-code use is audit logged.
  • Disabling 2FA requires the current password.

Authorization

Server-side role checks are required. The frontend only hides actions for usability.

  • Admin: system, users, integrations and global settings.
  • Editor: calendars and events.
  • Viewer: read-only access.

Rate limits

The application enforces rate limits for setup, login and password reset. Counters are stored in SQLite rate_limits with a periodic cleanup for expired windows, with an in-process fallback when storage is unavailable. The app intentionally uses the direct peer address instead of trusting arbitrary X-Forwarded-For headers. For internet-facing use, keep reverse-proxy rate limits enabled too.

Audit logging

Audit events are written for setup, login, logout, password changes, password resets, 2FA changes, user management, calendar changes, event changes, integrations, exports and backups. Secrets are never logged.

Admins can filter the audit log by action, actor, entity type, time range and search text. Filtered audit entries can be exported as CSV for offline review.

Security headers

The API middleware sends:

  • Content-Security-Policy
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: no-referrer
  • X-Frame-Options: DENY
  • Permissions-Policy

Backups

JSON backups include app data such as calendars and events. They intentionally exclude password hashes, sessions, reset tokens, TOTP secrets and backup codes.

Attachments

Attachment metadata is validated against a central upload policy before files are accepted. The policy blocks executable/script extensions, limits files to 10 MB, allows only the configured MIME types and exposes whether a virus-scan hook is configured. Until a scanner integration is wired, the hook status is reported as not_configured.

Known limits for this MVP

  • CalDAV write operations support VEVENT PUT/DELETE with ETag preconditions. Advanced scheduling flows such as attendee inbox/outbox handling remain outside the MVP.
  • Native libraries libsqlite3 and libargon2 are part of the runtime trust base.

There aren't any published security advisories