Security¶
Campus WoL is designed with a defense-in-depth approach to security. Rather than relying on a single barrier, the system layers multiple independent protections so that a failure in one layer does not compromise the whole platform. Every feature follows two guiding principles: grant the least privilege needed for the task, and log everything.
This section explains how each layer works, what it protects against, and how the pieces fit together.
Quick Reference¶
The following table maps common threats to the specific mitigations Campus WoL applies:
| Threat | Mitigation |
|---|---|
| Unauthorized access | JWT authentication + RBAC + site scoping |
| Credential theft | Argon2id password hashing |
| Brute-force login | Token bucket rate limiting |
| Privilege escalation | Container capability drops + no-new-privileges |
| Unaudited actions | Comprehensive audit logging with IP tracking |
| Data in transit | TLS via reverse proxy + CORS restrictions |
| Agent compromise | Read-only containers + Unix socket IPC |
What You'll Find Here¶
- Authentication -- How login works, password hashing, JWT sessions, and rate limiting
- Role-Based Access Control -- The three roles (Viewer, Operator, Admin), the full permissions matrix, and site scoping
- Audit Logging -- What gets logged, how to view and export logs, and retention policies
- Network Security -- TLS termination, CORS, security headers, and input validation
- Container Security -- How Docker containers are hardened with capability drops, read-only filesystems, and privilege restrictions
- Secrets Management -- How the system handles JWT keys, passwords, and encryption secrets
Design Principles¶
Least privilege. Every user, container, and process operates with the minimum permissions needed to do its job. Users without an assigned site see nothing. Containers run without root and with all capabilities dropped except those strictly required. API endpoints reject requests that exceed the caller's role.
Audit everything. Every meaningful action -- logins, wake operations, device changes, user management -- is recorded with the acting user, a timestamp, and the client IP address. Audit records cannot be edited or deleted through the application.
Fail closed. When the system cannot verify a permission, it denies access rather than granting it. A non-admin user without any site assignments sees an empty interface rather than all sites. An expired JWT is rejected, not silently renewed.