User Privacy Security (78%)

  • Private and anonymous by default. No personally identifiable information required. Ever.
  • No logging of any events (except the currently logged in sessions for enhanced security features), to enable additional privacy protection and anonymity
  • Expired Session and Failed Login Attempt logs are pruned continuously to ensure they’re kept to an absolute minimum
  • In development – All services are configured to use Tor by default, ensuring anonymity at all times
  • In development – Securely accessible from anywhere in the world using a Tor-enabled browser
  • Supports HTTP Strict Transport Security (HSTS), ensuring HTTPS is fully enforced application wide
  • Can be Self Hosted via a freely downloadable Docker image for full data and privacy sovereignty
  • All user data can be viewed, downloaded and deleted easily via Settings giving you instant, complete control
  • See all of your open sessions, when they expire and remotely log out of any you don’t want

Authentication Security (93%)

  • Password management fully enforced to NIST, NCSC and OWASP best practices
  • Usernames are case insensitive and unique
  • Password minimum length requirements set to 15+ characters by default
  • Password maximum length supported up to 255 characters with added protection against long password DoS attacks
  • No password complexity rules, no regular password resets and no security questions
  • Password fields fully accept “copy and paste” enabling users to easily input long, randomly generated passwords
  • Included password best practices tips to help users create strong passwords upon registration
  • Secure password reset via Admin notifications system
  • Password verification uses dependency free, inbuilt verify_hash function
  • Login, as well as all other pages, are only accessible via HTTPS for secure username and password communication
  • Generic login error messages ensure attackers cannot identify if certain usernames are registered or not
  • Protection against time-based attacks by ensuring correct ordering of username and password verification code
  • In development – App based Two Factor Authentication (2FA) support with no SMS support allowed
  • Protection against automated or brute force attacks by limiting login attempts and account lockouts

Password Storage (100%)

  • Password storage uses state of the art Argon2id hashing to secure against database breaches
  • Fully admin customisable Argon2id work factor parameters to suit your server capability and security needs
  • Automatic salting of all hashed passwords as part of the Argon2id standard

Authorization Security (82%)

  • Authorization logic is built to be “deny by default” to ensure even when unexpected events occur resources are still secure
  • Authorization to any resource is always tested on every request made
  • Authorization checks are built into both client side (for an improved user experience) and verified on the server side too
  • In development – Authorization logic is centralised to ensure global compliance across all parts of the application
  • JWTs are signature protected and built to the latest standards for the best user experience and security
  • Secret key used to encode all JWT’s is long, user configurable and generated using a secure source of randomness
  • In development – JWT’s are stored in memory only (not cookies or local storage) to ensure protection against CSRF & XSS attacks
  • JWT access and refresh tokens are refreshed with a user configurable expiry time, set to 15 minutes by default for enhanced security
  • JWT’s are sent via standard Authorization Bearer header to ensure they are always encrypted
  • Encoding and decoding of JWT’s uses standardised, dependency free functions
  • Standard JWT claims such as iss, aud, exp and nbf are built into every token

Input Validation Security (100%)

  • All client side forms have strict and thorough data validation to prevent incorrect data being sent to the server
  • Data is validated immediately as it’s read into the system to prevent attacks as early as possible
  • Input validation code is standardized to ensure global compliance across all parts of the application
  • Data is validated on both syntactical (eg. a date field contains a date) and semantic (eg. start date is before end date) levels
  • Data is validated to ensure it adhears to logical length and value types

Database Security (83%)

  • The MariaDB database is hardened according to their given hardening guidelines
  • The MariaDB application itself is not run under the systems root account and uses the dedicated “mysql” user instead
  • The root database account is protected with a strong and unique password
  • The database account used by the API is not a root, sa or SYS level account and does not have administrative rights over the database
  • The database account used by the API is only allowed access to the specific Athena Alpha database
  • The database account used by the API is only allowed the SELECT, INSERT, UPDATE and DELETE actions
  • Database authentication details are separated out into their own, private configuration file enabling enhanced security
  • In development – Private configuration file containing database authentication details is stored outside the web root
  • In development – Access to the database is only allowed via a local socket file and Network (TCP) database access is disabled
  • Default databases and accounts have been removed as part of using the MariaDB Docker container
  • All database queries use prepared statements with variable binding to protect against SQL injection attacks
  • Database query code built using PHP PDO to enable support for a wide range of database back ends

Transport Layer Security (50%)

  • In development – Where required, only the most up to date and secure TLS versions 1.2 and 1.3 are supported
  • In development – Where required, only the most up to date and secure GCM ciphers are enabled.
  • In development – HTTPS using TLS is enabled site wide and on all pages, to enable enhanced security
  • Supports HTTP Strict Transport Security (HSTS), ensuring HTTPS is fully enforced application wide
  • All cookies are marked with the “Secure” attribute, ensuring they are only sent over encrypted HTTPS connections
  • Caching of sensitive data is prevented by setting cache headers to not cache any of the data transferred

NodeJS Security (67%)

  • In development – All uncaught exceptions are handled by EventEmitter to ensure no stack traces are ever leaked
  • All third party packages are kept up to date to ensure they are patched for the latest security updates
  • Commonly known dangerous functions are avoided to ensure they can’t be used in attacks
  • Regular expressions are not used to ensure mitegation against ReDoS attacks
  • All code is developed to strict ESlint linting standards for increased security and code legibility
  • In development – All code is developed using ES5 ‘Strict Mode’ to ensure unsafe and dangerous legacy features aren’t used

REST Security (100%)

  • API only provides HTTPS endpoints for secure username, password and JWT transfer
  • Each API endpoint allows only the HTTP request methods that are required
  • Full suite of security headers passed with every API response matching OWASP recommendation, verified to recieve A+ security rating
  • Delivers appropriate and restricted Cross-Origin Resource Sharing (CORS) headers
  • Passwords, security tokens, and API keys are never sent through the URL to ensure no sensitive information is logged or leaked
  • Strict adherence to the standardised HTTP return status codes when replying to all requests

PHP Security (100%)

  • php.ini file has been hardened as per OWASP guidance
  • Error handling reporting and displaying of errors is turned off, as are all error logs for increased privacy
  • General PHP settings are all set to the recommended secure configuration 
  • Athena Alpha is designed so that all File Upload Handling functions are fully turned off to ensure maximum security
  • All executable handling functions are disabled
  • Session setting variables are all set to match OWASP guidelines

HTML5 Security (100%)

  • Athena Alpha never asks for location permissions as no personally identifiable information is required. Ever.
  • To increase security and prevent Tabnabbing, rel=”noopener noreferrer” tags are used on all external links
  • All iframes used throughout Athena Alpha use the sandbox attribute to ensure restricted permissions
  • All login / register fields have autocomplete turned off to ensure credentials are not auto filled in by unauthorized users