mirror of
https://github.com/smittix/intercept.git
synced 2026-07-02 14:58:58 -07:00
48b9d9d05a
- README: remove CW/Morse notes, condense multi-arch Docker detail, fix screenshot path, tighten credentials note - FEATURES.md: replace 550-line bullet dump with a concise mode→link table - USAGE.md: replace 140-line Webhooks section with pointer to new WEBHOOKS.md; remove duplicate Configuration and CLI Options sections - docs/WEBHOOKS.md: new file with full webhook setup, payload format, and Discord relay guide - HARDWARE.md: remove duplicate Quick Install / Python Environment / Running INTERCEPT sections; add Icecast setup section - TROUBLESHOOTING.md: replace Icecast install/config block with pointer to HARDWARE.md; replace duplicate udev rules with pointer to HARDWARE.md - SECURITY.md: update auth section to reflect admin/admin login (was "no authentication mechanism") - UI_GUIDE.md: add contributor/developer notice at the top Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
91 lines
3.5 KiB
Markdown
91 lines
3.5 KiB
Markdown
# Security Considerations
|
|
|
|
INTERCEPT is designed as a **local signal intelligence tool** for personal use on trusted networks. This document outlines security considerations and best practices.
|
|
|
|
## Network Binding
|
|
|
|
By default, INTERCEPT binds to `0.0.0.0:5050`, making it accessible from any network interface. This is convenient for accessing the web UI from other devices on your local network, but has security implications:
|
|
|
|
### Recommendations
|
|
|
|
1. **Firewall Rules**: If you don't need remote access, configure your firewall to block external access to port 5050:
|
|
```bash
|
|
# Linux (iptables)
|
|
sudo iptables -A INPUT -p tcp --dport 5050 -s 127.0.0.1 -j ACCEPT
|
|
sudo iptables -A INPUT -p tcp --dport 5050 -j DROP
|
|
|
|
# macOS (pf)
|
|
echo "block in on en0 proto tcp from any to any port 5050" | sudo pfctl -ef -
|
|
```
|
|
|
|
2. **Bind to Localhost**: For local-only access, set the host or use the CLI flag:
|
|
```bash
|
|
sudo ./start.sh -H 127.0.0.1
|
|
```
|
|
|
|
3. **Trusted Networks Only**: Only run INTERCEPT on networks you trust. Default credentials are admin / admin — change them before network exposure.
|
|
|
|
## Authentication
|
|
|
|
INTERCEPT includes basic username/password authentication (default credentials: **admin / admin**). **Change these before exposing the application on any network** — update `ADMIN_USERNAME` and `ADMIN_PASSWORD` in `config.py`.
|
|
|
|
For additional protection when exposing INTERCEPT beyond your local machine:
|
|
|
|
1. Use a reverse proxy (nginx, Caddy) with authentication or TLS
|
|
2. Use a VPN to access your home network
|
|
3. Use SSH port forwarding: `ssh -L 5050:localhost:5050 your-server`
|
|
|
|
## Security Headers
|
|
|
|
INTERCEPT includes the following security headers on all responses:
|
|
|
|
| Header | Value | Purpose |
|
|
|--------|-------|---------|
|
|
| `X-Content-Type-Options` | `nosniff` | Prevent MIME type sniffing |
|
|
| `X-Frame-Options` | `SAMEORIGIN` | Prevent clickjacking |
|
|
| `X-XSS-Protection` | `1; mode=block` | Enable browser XSS filter |
|
|
| `Referrer-Policy` | `strict-origin-when-cross-origin` | Control referrer information |
|
|
| `Permissions-Policy` | `geolocation=(self), microphone=()` | Restrict browser features |
|
|
|
|
## Input Validation
|
|
|
|
All user inputs are validated before use:
|
|
|
|
- **Network interface names**: Validated against strict regex pattern
|
|
- **Bluetooth interface names**: Must match `hciX` format
|
|
- **MAC addresses**: Validated format
|
|
- **Frequencies**: Validated range and format
|
|
- **File paths**: Protected against directory traversal
|
|
- **HTML output**: All user-provided content is escaped
|
|
|
|
## Subprocess Execution
|
|
|
|
INTERCEPT executes external tools (rtl_fm, airodump-ng, etc.) via subprocess. Security measures:
|
|
|
|
- **No shell execution**: All subprocess calls use list arguments, not shell strings
|
|
- **Input validation**: All user-provided arguments are validated before use
|
|
- **Process isolation**: Each tool runs in its own process with limited permissions
|
|
|
|
## Debug Mode
|
|
|
|
Debug mode is **disabled by default**. If enabled via `INTERCEPT_DEBUG=true`:
|
|
|
|
- The Werkzeug debugger PIN is disabled (not needed for local tool)
|
|
- Additional logging is enabled
|
|
- Stack traces are shown on errors
|
|
|
|
**Never run in debug mode on untrusted networks.**
|
|
|
|
## Reporting Security Issues
|
|
|
|
If you discover a security vulnerability, please report it by:
|
|
|
|
1. Opening a GitHub issue (for non-sensitive issues)
|
|
2. Emailing the maintainer directly (for sensitive issues)
|
|
|
|
Please include:
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Suggested fix (if any)
|