🐣 New Feature: Security Check

[mtrezza]

🛡 Security Check

We want make it easier for you to secure your Parse Server. The new Security Check feature allows you to easily identify weak security settings in your Parse Server deployment. This helps you to secure existing Parse Server apps, but also to transition new apps from a playground environment, in which security settings are often deliberately weak for easy development, to a secure production environment. The feature comes with built-in security checks and also allows you to write custom checks for your application.

Features

• New security endpoint https://example.com/parse/security that returns security report in JSON format (requires master key)
• Optional output of security report into log file on Parse Sever start
• Customizable, allows to override built-in / add custom security checks via Parse Server configuration
• Modular design, checks run only on demand, no constant load on Parse Server

ℹ️ Adding a security check is now mandatory for security relevant PRs to increase the security coverage. There are still many existing settings that are not yet checked, so please feel free to submit a new check to be added to the built-in checks. If you are interested in seeing the security report conveniently as a Parse Dashboard page, please join the PR.

Usage

To enable the Security Check set the Parse Server configuration security.enableCheck: true.

const server = new ParseServer({
  security: {
    enableCheck: true,     // Enables security checks including `/security` endpoint
    enableCheckLog: true,  // Enables log output; required to auto-run security check on server start
    checkGroups: [ ... ]   // Custom security checks
  },
  ...otherOptions
});

Example security report log output:

###################################
#                                 #
#   Parse Server Security Check   #
#                                 #
###################################

Warning: 1 weak security setting(s) found!
2 check(s) executed
0 check(s) skipped

- Parse Server Configuration
   ✅ Secure master key
   ❌ Security log disabled
      Warning: Security report in log. Set Parse Server configuration `security.enableCheckLog` to false.

The report returned by the /security endpoint follows this schema:

{
    report: {
      version: "1.0.0", // The report version, defines the schema
      state: "fail"     // The disjunctive indicator of failed checks in all groups.
      groups: [         // The check groups
        {
          name: "House",            // The group name
          state: "fail"             // The disjunctive indicator of failed checks in this group.
          checks: [                 // The checks
            title: "Door locked",   // The check title
            state: "fail"           // The check state
            warning: "Anyone can enter your house."   // The warning.
            solution: "Lock your door."               // The solution.
          ]
        },
        ...
      ]
    }
}

Factsheet

• Docs: Security Check
• Feature maturity: ready for release
• Release status: unreleased (master branch)
• Pull request: Add security check #7247

Previous Feature Spotlights

• 2021-03-10: Pages Router

About

• This issue is only intended to inform. If you encounter a bug or have a suggestion please open a new issue.
• This is a pilot for a new series in which we move different notable feature addition or improvement into the spotlight.
• Got feedback regarding this series? - Post in the Community Forum.