Security
Niuton implements multiple layers of security to protect user data and prevent unauthorized access.
Authentication
Password Hashing
Passwords are hashed using PHP's password_hash() with the default bcrypt algorithm and verified with password_verify().
Brute-Force Protection
The niuton_login_attempts table tracks all login attempts:
| Setting | Default | Description |
|---|---|---|
max_login_attempts | 5 | Max failed attempts before lockout |
lockout_duration_minutes | 15 | Lockout duration |
Tracking is per username + IP address. Entries older than 24 hours are automatically cleaned up.
Two-Factor Authentication (TOTP)
Niuton implements RFC 6238 TOTP in pure PHP (lib/totp.php):
- Setup: Generate secret key + QR code (via Google Charts API)
- Verification: 6-digit TOTP with 30-second time step, 1 window tolerance
- Backup Codes: 8 single-use recovery codes generated on 2FA enable
- Enforcement:
requireLogin()blocks sessions in2fa_pendingstate
Session Security
session.cookie_httponly = true
session.cookie_secure = true
session.cookie_samesite = Lax
session.use_strict_mode = trueSession IDs are regenerated on login to prevent session fixation.
API Token Security
Sync API tokens:
- 64-character random hex strings
- Stored as SHA-256 hashes (never plaintext)
- Per-device, individually revocable
- Include device identification metadata
Authorization
Role-Based Access
| Role | Capabilities |
|---|---|
admin | Full access, system config, user management, deploy |
user | Standard access, own data only |
Data Isolation
- Each user can only access their own files (
userdata/user_{ID}/) - Database queries filter by
user_id - Team Chat verifies room membership for all operations
- Shared files scoped to rooms the user belongs to
Input Validation
CSRF Protection
All state-changing requests require a CSRF token:
- Token stored in session, exposed via
<meta name="csrf-token"> - Sent via
X-CSRF-Tokenheader or_csrf_tokenPOST field - Exempt: GET requests and Bearer-token-authenticated requests
v3.12 CSRF Expansion v3.12
CSRF-Schutz wurde auf 8 weitere Apps ausgeweitet, die zuvor ungeschuetzt waren. Alle POST-Endpoints validieren jetzt den CSRF-Token.
Path Traversal Prevention
sanitizePath() prevents directory traversal:
- Resolves
../sequences - Ensures paths stay within allowed directories
- Applied to all file operations
SSRF Prevention
validateUrlForSsrf() blocks requests to:
- Private IP ranges (10.x, 172.16-31.x, 192.168.x)
- Localhost (127.0.0.1, ::1)
- Cloud metadata endpoints (169.254.169.254)
- Link-local addresses
Command Execution
The run_command Aurora tool:
- Executes in user's home directory
- Blocklist of dangerous commands
- Output capture and sanitization
XSS Prevention v3.12
Markdown-Output wird umfassend sanitisiert:
- Entfernt
<script>,<style>,<iframe>-Tags - Entfernt alle
on*-Event-Handler (onclick,onerror,onload, etc.) - Blockiert
javascript:-URLs - Angewendet in Team Chat, ChatPanel, Aurora Orb, Files Preview
API Authentication v3.12
Nicht-authentifizierte API-Requests erhalten jetzt eine JSON-Antwort mit Status 401 anstelle eines 302-Redirects zur Login-Seite. Dies verhindert Probleme mit AJAX-Clients, die Redirects nicht korrekt verarbeiten.
HTTP Security Headers
Applied via Nginx reverse proxy:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgradeMarkdown Sanitization
User-generated Markdown is sanitized before rendering:
- Strips
<script>,<style>,<iframe>tags - Removes event handlers (
onclick,onerror, etc.) - Blocks
javascript:URLs
Audit Logging
Security-relevant actions are logged to niuton_audit_log:
- Login attempts (success/failure)
- App creation/deletion
- Admin configuration changes
- File operations (via Aurora tools)
Maintenance Mode
When enabled:
- All non-admin sessions are terminated
- Login restricted to admin accounts
- Returns 503 for API requests
- Configurable via
niuton_system_config