2026-01-19 00:31:27 +02:00

4.7 KiB

Raw Blame History

Security Policy

Supported Versions

Version	Supported
1.0.x	✅

Security Features

HelmView implements several security measures:

File Upload Security

File size limits (100MB default)
Extension validation (.tgz, .tar.gz, .zip only)
Zip-slip attack protection
Safe path traversal checks
Sandboxed extraction directories

Execution Security

No arbitrary code execution
Helm runs only with template and lint commands
No hook execution allowed
Command timeouts (60s default)
Resource limits in Docker containers

Input Validation

YAML syntax validation
Kubernetes schema validation
API input sanitization
SQL injection protection (when using database)

Isolation

Per-project sandboxed directories
Docker container isolation
Temporary file cleanup
No network access from Helm commands

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

DO NOT

Open a public GitHub issue
Discuss the vulnerability publicly
Exploit the vulnerability

DO

Email: Send details to security@helmview.io (if available) or create a private security advisory on GitHub
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Wait: Allow up to 48 hours for initial response

What to Expect

Initial Response: Within 48 hours
Status Update: Within 7 days
Fix Timeline: Depends on severity
- Critical: 1-7 days
- High: 7-30 days
- Medium: 30-90 days
- Low: Next release cycle

Security Best Practices for Deployment

Production Deployment

Authentication: Implement user authentication (not included by default)
HTTPS: Always use TLS/SSL in production
Firewall: Restrict backend access to frontend only
Secrets: Use environment variables or secret management
Updates: Keep dependencies updated regularly
Monitoring: Set up security monitoring and logging
Backups: Regular backups of project data
Resource Limits: Configure Docker resource limits

Network Security

# Recommended docker-compose.yml additions
services:
  backend:
    networks:
      - internal
  frontend:
    networks:
      - internal
      - external

networks:
  internal:
    internal: true
  external:

Environment Hardening

# Set restrictive file permissions
chmod 600 .env

# Use non-root user in containers
# (already implemented in Dockerfiles)

# Enable Docker security features
docker run --security-opt=no-new-privileges --cap-drop=ALL

Rate Limiting

Consider implementing rate limiting for production:

File uploads: 10 per hour per IP
API requests: 100 per minute per IP
Chart renders: 20 per hour per project

Database Security (when using PostgreSQL)

Use strong passwords
Enable SSL connections
Regular security updates
Principle of least privilege for DB users
Regular backups with encryption

Known Limitations

Current Security Limitations

No Authentication: Users must implement their own auth layer
No Rate Limiting: Should be added for production
No Audit Logging: Consider adding for compliance
Shared Resources: All users share the same backend (multi-tenancy not implemented)

Helm Security Considerations

Helm charts may contain malicious templates (mitigated by no hook execution)
Large charts may consume significant resources (mitigated by timeouts)
Chart dependencies are not validated (user responsibility)

Security Checklist for Production

Enable HTTPS/TLS
Implement authentication & authorization
Set up rate limiting
Configure firewall rules
Set resource limits
Enable audit logging
Set up monitoring & alerts
Regular security updates
Backup strategy in place
Incident response plan defined
Security review completed
Penetration testing performed

Compliance

HelmView does not currently provide built-in compliance features for:

HIPAA
PCI-DSS
SOC 2
GDPR (data handling must be implemented separately)

Users requiring compliance should implement additional controls.

References

License

This security policy is part of the HelmView project and follows the same MIT License.

Last Updated: January 2026

4.7 KiB Raw Blame History