Security

Configure security policies, monitor audit logs, and manage security-related settings in SPEAR.

---

Security Overview

🖥️ Security Dashboard Screenshot

Access the security dashboard at Admin > Security for:

• Security event summary
• Recent authentication activity
• Active session count
• Security alert status

---

Audit Logging

🖥️ Audit Log Viewer Screenshot

Logged Events

SPEAR maintains comprehensive audit logs for security-relevant events:

Category	Events
Authentication	Login, logout, failed attempts, password changes
Authorization	Permission changes, role assignments
Data Access	Report exports, portal access, data downloads
Administration	User creation, settings changes, backup operations
Security	Session terminations, API key operations

Audit Log Fields

Each audit entry includes:

Field	Description
Timestamp	When the event occurred
User	User who performed the action
Action	What action was performed
Resource	What was affected
IP Address	Source IP address
User Agent	Browser/client information
Details	Additional context

Viewing Audit Logs

1. Navigate to Admin > Security > Audit Log
2. Use filters:
   • Date range
   • User
   • Action type
   • Resource type
3. Click entries for details
4. Export for analysis

Audit Log Retention

Setting	Default	Range
Retention Period	365 days	90-730 days
Archive Destination	Local	Local/S3

Configure at Admin > Security > Audit Settings.

---

Session Management

🖥️ Active Sessions Management Screenshot

Active Sessions

View and manage all active sessions:

1. Navigate to Admin > Security > Sessions
2. View session list with:
   • User
   • IP Address
   • Device/Browser
   • Last Activity
   • Session Start

Session Actions

Action	Effect
View Details	See full session information
Revoke	End the session immediately
Revoke All (User)	End all sessions for a user
Revoke All (System)	End all sessions (emergency)

Session Policies

Configure session behavior:

Policy	Description	Default
Session Timeout	Inactive timeout	24 hours
Absolute Timeout	Maximum session duration	7 days
Concurrent Sessions	Max sessions per user	Unlimited
IP Binding	Lock session to IP	Disabled

---

Access Control

Permission Verification

SPEAR verifies permissions at multiple levels:

flowchart TD
    A[Request] --> B{Authenticated?}
    B -->|No| C[401 Unauthorized]
    B -->|Yes| D{Has Permission?}
    D -->|No| E[403 Forbidden]
    D -->|Yes| F{Resource Access?}
    F -->|No| G[404 Not Found]
    F -->|Yes| H[Process Request]

API Security

Protection	Description
Bearer Token	Token-based authentication
Rate Limiting	Request throttling
CORS	Cross-origin restrictions
Input Validation	Request sanitization

Permission Escalation Prevention

SPEAR prevents privilege escalation:

• Users cannot create users with higher privileges
• Users cannot modify their own permission level
• Group role assignments validated against modifier’s level

---

Security Alerts

🖥️ Security Alerts Configuration Screenshot

Alert Types

Alert	Trigger	Severity
Failed Logins	Multiple failures from same IP	Medium
Unusual Access	Access from new location/device	Low
Permission Change	Admin permission granted	High
Data Export	Bulk data export	Medium
Session Anomaly	Multiple concurrent sessions	Low

Alert Configuration

1. Navigate to Admin > Security > Alerts
2. Enable/disable alert types
3. Set thresholds:
   • Failed login attempts
   • Time windows
   • Geographic sensitivity
4. Configure notifications

Alert Actions

For triggered alerts:

1. Review alert details
2. Investigate the activity
3. Take action if needed:
   • Lock user account
   • Revoke sessions
   • Block IP address
4. Mark as resolved

---

IP Management

IP Allowlist

Restrict access to specific IPs:

1. Navigate to Admin > Security > IP Rules
2. Click Add Allowlist Entry
3. Enter IP or CIDR range
4. Add description
5. Enable allowlist mode

Caution

Enabling allowlist mode blocks all IPs not in the list. Ensure your IP is included before enabling.

IP Blocklist

Block malicious IPs:

1. Navigate to Admin > Security > IP Rules
2. Click Add Blocklist Entry
3. Enter IP or CIDR range
4. Add reason
5. Save

Automatic Blocking

Configure automatic IP blocking:

Setting	Description
Failed Login Threshold	Block after X failures
Block Duration	How long to block
Whitelist	IPs exempt from blocking

---

Data Protection

Encryption

SPEAR encrypts sensitive data:

Data Type	Encryption
Passwords	bcrypt hashing
Sensitive Fields	AES-256 (using SPEAR_ENCRYPTION_KEY)
Session Tokens	Cryptographically random
API Tokens	Secure random generation

Data Access Controls

Control	Implementation
Row-Level Security	PocketBase rules
Field-Level Access	Schema permissions
Export Controls	Permission-based

---

Security Headers

SPEAR applies security headers:

Header	Value	Purpose
X-Content-Type-Options	nosniff	Prevent MIME sniffing
X-Frame-Options	DENY	Prevent clickjacking
X-XSS-Protection	1; mode=block	XSS filter
Strict-Transport-Security	max-age=31536000	Force HTTPS
Content-Security-Policy	Configured	Script/style restrictions

CSP Configuration

Configure Content Security Policy:

1. Navigate to Admin > Security > Headers
2. Modify CSP directives
3. Test in report-only mode
4. Enable enforcement

---

Vulnerability Reporting

Security Contact

Report security vulnerabilities:

1. Email: security@mwgroup.io
2. Include:
   • Description of vulnerability
   • Steps to reproduce
   • Potential impact
   • Your contact information

Responsible Disclosure

SPEAR follows responsible disclosure:

1. Report received and acknowledged
2. Issue investigated and verified
3. Fix developed and tested
4. Update released
5. Credit given (if desired)

---

Security Checklist

Initial Setup

• Set strong SPEAR_ENCRYPTION_KEY
• Enable HTTPS (Traefik SSL)
• Create admin account with strong password
• Configure session timeout
• Set up backup encryption

Ongoing

• Review audit logs weekly
• Monitor security alerts
• Update to latest version
• Review user permissions quarterly
• Test backup restoration
• Rotate API keys annually

Hardening

• Enable IP allowlist (if applicable)
• Configure failed login blocking
• Set strict session policies
• Enable MFA (when available)
• Review CSP configuration

---

Compliance

Data Handling

SPEAR supports compliance requirements:

Requirement	Support
Audit Logging	Comprehensive event logging
Access Control	RBAC with granular permissions
Data Encryption	At-rest and in-transit
Data Retention	Configurable retention periods
Data Export	Full data export capability

Reports

Generate compliance reports:

1. Navigate to Admin > Security > Reports
2. Select report type:
   • Access Report
   • Audit Summary
   • Permission Matrix
3. Set date range
4. Generate and download

---

Troubleshooting

Account Locked

1. Check audit log for failed attempts
2. Clear blocklist entry if IP blocked
3. Reset password if needed
4. Investigate source of failed attempts

Permission Issues

1. Verify user’s group membership
2. Check group’s assigned roles
3. Review permission level requirements
4. Check audit log for changes

Session Problems

1. Check session timeout settings
2. Verify secure cookie settings
3. Check for IP changes (VPN)
4. Clear browser cookies and retry