Documentation

Source-of-truth docs, references, plans, and product material across Harbor surfaces.

Docs / Commercial And Brand
Commercial And Brand

Security Hardening Notes

This pass focused on high-value hardening that could land without redesigning Harbor's auth model.

commercial and brandsecurityhardeningnotes
Source: security-hardening-notes.md

Security Hardening Notes

This pass focused on high-value hardening that could land without redesigning Harbor's auth model.

Implemented

- Replaced permissive wildcard browser access with an allowlist-based CORS model. - Rejects disallowed Origin headers on Harbor Node API routes. - Blocks privileged operator routes until the first operator password bootstrap is completed. - Adds lightweight fixed-window throttling for operator bootstrap, login, and password change routes.

  • Harbor Node browser-origin hardening

- Hidden config storage now supports AES-256-GCM encryption through ENCRYPTION_MASTER_KEY. - In production, Harbor Node refuses to fall back to plaintext hidden-value storage. - Fleet session tokens are now written through the hidden-config codec instead of plain DB storage.

  • Harbor Node secret-at-rest foundation

- Replaced wildcard CORS defaults with an explicit allowlist. - Added lightweight fixed-window throttling for sign-in, sign-up, password change, contact, and palette-import routes. - Cloud session tokens are hashed at rest with backward-compatible migration for legacy rows. - Member password changes now revoke all active cloud sessions for that account. - Seed/demo passwords no longer silently default to weak static values when envs are missing.

  • Cloud API hardening

- Cloud Admin and Website account sessions now use sessionStorage with one-time migration from legacy localStorage. - Harbor UI paired-node access keys and operator session tokens now use session-scoped browser storage with legacy migration.

  • Browser session storage tightening

- Escaped attacker-controlled values in Cloud Admin support/account/enrollment rendering. - Escaped attacker-controlled values in Website account node/activity rendering.

  • Browser rendering safety

Required Environment Updates

- CLOUD_COMMUNITY_PASSWORD - CLOUD_DEMO_PASSWORD - CLOUD_BUSINESS_PASSWORD - CLOUD_ADMIN_PASSWORD

- HARBOR_ALLOWED_ORIGINS - CLOUD_API_CORS_ORIGIN

  • Set ENCRYPTION_MASTER_KEY for any production Harbor Node deployment.
  • Set explicit cloud seeded-account passwords for non-dev deployments:
  • Set explicit browser origins as needed:

Remaining Follow-Up

  • Move cloud/admin auth from JS-readable bearer storage to HttpOnly cookie sessions.
  • Add stronger SSRF protections to palette import by blocking private/reserved address space after DNS resolution.
  • Add stronger secret-at-rest coverage for any remaining non-hidden secret columns outside Harbor Node.
  • Add deployment-layer security headers and TLS-focused guidance.