Safely making resources available with the server

Securing

These documents describe: working with the file system to properly set permissions on server software, forbidding public access to resources, blocking usage by bad actors, and using the server's role-based access control module.

File Permissions

File system enforcement of process privileges

This note describes the checks taken by the server's file system to limit the server's ability to access devices files outside its scope.
file permissions, document-root, encoding-cache, dynamic-cache, readable, writable, read-write

Forbidden

Preventing public access to hidden files and special directories

This note describes how to block hidden files and special directories from being requested by the server.
forbidden, hidden files, special directories, path-pattern, rw-forbidden, GRAVE-ACCENTS, SOLIDUS, ASTERISK

IP Access

Whitelisting and blacklisting by IP address

This note describes how to configure the server to restrict incoming requests from selected IP addresses.
IP address, allow, deny, whitelist, blacklist, IP4, CIDR notation, rw-ip-access

RBAC

Using role based access controls to restrict resource usage

This note describes the Role Based Access Control (RBAC) mechanism of the server. Access to resources are allowed or denied based on resource patterns and request methods matched against user-assigned roles.
RBAC, Role Based Access Control, roles, allow, deny, anonymous, rw-rbac-no-matching-role, rw-rbac-no-resource-rule, cipher-secret, max-idle

User Accounts

Creating role based user accounts to access resources

This note describes how user credentials are created through an external CLI utility. Passwords are SHA256 hashed using a nonce. Passwords are not discoverable or recoverable.
addrole, SHA256, nonce, passwords, anonymous, shaDigest, RBAC

Auth Handler

Sending login/logout requests to the server

This note describes how the server handles POST requests to login and logout of the Role Based Access Control mechanism.
login, logout, user, password, rw-rbac-unsupported-method, rw-rbac-unsupported-content-type, rw-rbac-unsupported-action, rw-rbac-missing-credentials, rw-rbac-forbidden, rw-rbac-internal-error

Stateful Roles

Safely propagating user access roles between session requests

This note documents how roles are propagated from one request to the next without accessing the server's authorization file every time.
roles, RBAC, AES-192, symmetric-key encryption, cipher-secret, max-idle, rw-rbac-forged, rw-rbac-remote-address, rw-rbac-expired, rw-rbac-renewal

Cookies

Maintaining state between browser requests

This note describes the cookie protocol used by the server to maintain state between browser requests.
set-cookie, _cookieMap, decodeURIComponent, RBAC, Role Based Access Controls

Safely making resources available with the server