vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-12 05:45:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
Pulse/docs/SECURITY.md
Pulse Monitor 378ebcb250 Major improvements to security, alerts, and ease of use 
Security enhancements:
- Fixed critical issue: PBS tokens no longer logged in plaintext
- PVE tokens now properly masked in all log outputs
- Enhanced token security documentation

Alert system fixes:
- Fixed storage alerts not working due to threshold being 0
- Added automatic defaults preservation for alert thresholds
- Storage alerts now properly trigger at 85% usage

Node management improvements:
- Fixed node deletion causing 'Node not found' errors
- Added instant discovery refresh when nodes are deleted
- Added manual refresh buttons for discovery
- Fixed PBS token cleanup in auto-registration scripts
- Fixed /dev/tty errors when running scripts in Docker containers

Bug fixes:
- Fixed CPU MHz field type mismatch causing JSON unmarshal errors
- Suppressed non-critical container snapshot API errors
- Fixed auto-registration using Docker internal IPs instead of actual host IPs

Documentation updates:
- Added comprehensive security documentation
- Streamlined setup documentation focusing on ease of use
- Removed marketing language and consolidated repetitive content

Frontend improvements:
- Added WebSocket support for real-time node updates
- Added discovery refresh buttons in Settings
- Improved node deletion feedback
2025-08-11 13:59:58 +00:00

1.7 KiB
Raw Blame History

Pulse Security

Credential Security

  • Storage: Encrypted at rest using AES-256-GCM (/etc/pulse/nodes.enc)
  • Logs: Token values masked with *** in all outputs
  • API: Frontend receives only hasToken: true, never actual values
  • Export: Requires API_TOKEN authentication to extract credentials

Export/Import Protection

By default, configuration export/import is blocked for security. You have two options:

Option 1: Set API Token (Recommended)

# Using systemd (secure)
sudo systemctl edit pulse-backend
# Add:
[Service]
Environment="API_TOKEN=your-secure-token-here"

# Then restart:
sudo systemctl restart pulse-backend

# Docker
docker run -e API_TOKEN=your-token rcourtman/pulse:latest

Option 2: Allow Unprotected Export (Homelab)

# Using systemd
sudo systemctl edit pulse-backend
# Add:
[Service]
Environment="ALLOW_UNPROTECTED_EXPORT=true"

# Docker
docker run -e ALLOW_UNPROTECTED_EXPORT=true rcourtman/pulse:latest

Note: Never put API tokens or passwords in .env files! Use systemd environment variables or Docker secrets for sensitive data.

Security Features

  • Encryption: Exports are always encrypted (AES-256-GCM)
  • Rate Limiting: 5 attempts per minute on export/import
  • Minimum Passphrase: 12 characters required
  • Security Tab: Check status in Settings → Security

What's Encrypted in Exports

  • Node credentials (passwords, API tokens)
  • PBS credentials
  • Email settings passwords

What's NOT Encrypted

  • Node hostnames and IPs
  • Threshold settings
  • General configuration

Troubleshooting

Export blocked? Set API_TOKEN or ALLOW_UNPROTECTED_EXPORT=true Rate limited? Wait 1 minute and try again