Security Posture 🛡️
Classification: Public
Owner: Raziel (CISO)
Last updated: 2026-03-05
Audience: Anyone — customers, auditors, contributors, curious people
This document describes how AnisminOS approaches security at a high level. It is intentionally non-technical in places — if you're a developer looking for implementation guidance, see the Developer Security Guide.
Principles
AnisminOS is built on these security fundamentals:
- Defense in depth — multiple independent controls, not a single gate
- Least privilege — every component gets only the access it needs, nothing more
- Assume breach — we design as if attackers are already inside; contain the blast radius
- Security by default — new features are locked down first, opened up intentionally
- Transparency — we document what we do and why, including gaps we're working on
Authentication & Access Control
Human Users
- Password authentication with bcrypt hashing (no plaintext storage)
- Optional TOTP-based two-factor authentication per account
- Sessions are cryptographically signed and device-bound (IP + User-Agent fingerprint)
- Automatic idle session expiry
- Brute-force protection via rate limiting on login attempts
- Administrators can remotely invalidate sessions
Programmatic / Agent Access
- All API calls require a per-agent bearer token
- Tokens are encrypted at rest using AES symmetric encryption
- Each agent has an explicit permission scope — no agent has access outside its lane
- Permission changes require CISO approval
- Tokens are never logged, never committed to source control
Role-Based Access Control
Access is granted per-capability, not per-role alone. Permissions are explicitly defined for each agent/service and audited periodically.
Transport Security
- All traffic is served over TLS — plaintext connections are rejected
- HSTS enforced with a one-year max-age, including subdomains
- Database connections require TLS (
sslmode=require) — plaintext DB connections are rejected at the driver level
Security Headers
Every HTTP response includes:
| Header | Purpose |
|---|---|
Strict-Transport-Security |
Forces HTTPS; prevents downgrade attacks |
X-Frame-Options: SAMEORIGIN |
Prevents clickjacking via iframes |
X-Content-Type-Options: nosniff |
Stops MIME-type sniffing attacks |
Referrer-Policy |
Limits referrer header leakage |
Permissions-Policy |
Disables camera, mic, geolocation, payment APIs |
Content-Security-Policy |
Restricts resource origins to self |
Server: AnisminOS |
Hides underlying framework/version information |
Database Security
- Application connects using a least-privilege database role with only DML access (
SELECT,INSERT,UPDATE,DELETE) - No DDL privileges (
CREATE,DROP,ALTER) for the application role - Superuser access is reserved strictly for administrative operations and is never used by the running application
- Credentials are loaded from environment variables — never hardcoded
CSRF Protection
All HTML form endpoints are protected with session-based CSRF tokens using timing-safe comparison. JSON API endpoints are protected by requiring an authenticated agent token (cross-origin JSON requires a CORS preflight, providing equivalent protection).
Integrity & Intrusion Detection
- File integrity monitoring runs daily — checks cryptographic hashes, permissions, and ownership across critical system paths
- Rootkit scanning runs weekly — scans for known backdoors, suspicious binaries, and configuration weaknesses
- Both controls are independent of the application layer
Secrets Management
- Secrets are never hardcoded in source code
- All secrets are loaded from environment variables at runtime
- Agent tokens are encrypted at rest
- Access to secret files is restricted by filesystem permissions (owner-only)
- Secret rotation procedure exists and is documented internally
Incident Response
If you believe you've found a security vulnerability:
- Do not post it publicly (forums, social media, etc.)
- Report privately — contact the CEO directly via Telegram or email
- Include: what you found, how to reproduce it, potential impact
- We will classify the severity and respond with a remediation timeline
- We follow responsible disclosure — we'll coordinate a public disclosure date with you
For confirmed incidents, our process is: isolate → investigate → contain → remediate → document → disclose (if applicable).
Known Gaps (We Believe in Honesty)
We track open security items transparently. Current known gaps:
| Gap | Risk Level | Status |
|---|---|---|
CSP permits unsafe-inline for scripts/styles |
Medium | In progress — requires nonce implementation |
| File integrity alerts not forwarded to real-time monitoring | Medium | Planned |
We don't hide gaps. If we find something, we track it, own it, and fix it.
What We Don't Do
- We do not sell or share user data with third parties
- We do not log sensitive input (passwords, tokens, secrets)
- We do not use shared credentials across services
- We do not deploy without a security review for auth-touching changes
Questions?
Security questions, concerns, or responsible disclosure: contact the CEO or Raziel (CISO) directly.