Ferro is designed with security as a priority. This page summarizes the security features and policies. For the full security policy, see SECURITY.md in the repository.
Severity Initial Response Patch Release
Critical (RCE, auth bypass) 24 hours 72 hours High (data exposure, privilege escalation) 48 hours 7 days Medium (CSRF, XSS, information disclosure) 72 hours 14 days Low (best practices, minor issues) 1 week Next release
Method Description
Simple auth HTTP Basic Auth with bcrypt-hashed passwords (cost factor 12) OIDC OpenID Connect with PKCE flow (Keycloak, Auth0, Google, etc.) LDAP LDAP authentication (behind ldap feature flag) Authorization Cedar policy engine for fine-grained access control
Layer Implementation
Transport TLS 1.3 (rustls) File E2E age (X25519, ChaCha20-Poly1305) Passwords bcrypt (cost factor 12) Tokens HMAC-SHA256 Comparison Constant-time for secrets
Path traversal prevention (normalized paths, .. rejection)
Content-Type validation on uploads
Request body size limits (configurable, default 1 GB)
XML entity expansion prevention in WebDAV
Header Value
Strict-Transport-Securitymax-age=31536000; includeSubDomainsX-Content-Type-OptionsnosniffX-Frame-OptionsDENYContent-Security-PolicyConfigurable X-Request-IDUnique per request (audit trail)
HTTP Signatures (draft-cavage-http-signatures-12)
HMAC-SHA256 verification
Actor keyId validation (must match activity actor)
Empty federation secret = disabled (503)
Per-IP token-bucket rate limiter
Default: 10,000 requests per 60-second window
Returns 429 Too Many Requests when exceeded
Non-root containers where supported
no-new-privileges security optioncap-drop: ALL with minimal capabilitiesResource limits on all containers
Health checks on all services
No secrets in configuration files
Ferro tracks all file operations in an audit log. Access via:
curl http://localhost:8080/api/audit?limit=50 \
-H "Authorization: Bearer TOKEN"
Version Supported
2.x Yes < 2.0 No
Weekly cargo audit (automated in CI)
Monthly manual review of new dependencies
No dependencies with known critical CVEs
Prefer pure-Rust implementations over C bindings
Ferro is designed to be pen-testable. See SECURITY.md for the full penetration testing guide including test cases for authentication bypass, path traversal, XML injection, federation spoofing, and more.