taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 06:50:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: harden Docker registry and container runtime

Browse Source 
- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
This commit is contained in:
devitway
2026-03-19 08:29:28 +00:00
parent f76dab1184
commit fa2cd45ed3
8 changed files with 225 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@@ -39,6 +39,11 @@
- **Security**
- Basic Auth (htpasswd + bcrypt)
- Revocable API tokens with RBAC
- Blob digest verification (SHA256)
- Non-root container images
- Security headers (CSP, X-Frame-Options, nosniff)
- Upload session limits (DoS protection)
- Configurable upload size for ML models (`NORA_MAX_UPLOAD_SESSION_SIZE_MB`)
- ENV-based configuration (12-Factor)
- SBOM (SPDX + CycloneDX) in every release
- See [SECURITY.md](SECURITY.md) for vulnerability reporting