What are the steps I have to follow to secure taskwarrior web when I host it on a vps for personal use? - Githubissues

theunraveler / taskwarrior-web

A web interface for the Taskwarrior todo application. Because being a neckbeard is only fun sometimes.

http://theunraveler.github.com/taskwarrior-web

MIT License

527 stars 63 forks source link

What are the steps I have to follow to secure taskwarrior web when I host it on a vps for personal use? #96

Open anilv4 opened 6 years ago

anilv4 commented 6 years ago

What are the steps I have to follow to secure taskwarrior web when I host it on a VPS for personal use?

Thanks, Anil

cilynx commented 6 years ago

Per the README:

task-web is mostly designed to run locally. As such, security is not of the highest priority. You may find that things such as CSRF protection are lacking. If things like this are important to you, please file an issue or a pull request.

As things stand today, it's not recommended to run task-web Internet-facing. If you want to run it on a VPS, your best route is to block most incoming traffic to your VPS and connect to it from your client machine using VPN or an SSH tunnel.

Zebradil commented 6 years ago

I'm using http basic auth for that purpose. Brute-force attacks could be handled with something like fail2ban. The only thing I would like to add to my setup is SSL to secure credentials.

eamonne commented 6 years ago

Along the same lines, I want to host this behind nginx, is there a way to force it to only only be served on localhost? I can block public traffic on on 5678 but I'd rather it not be served at all.

Zebradil commented 6 years ago

Try to run it with --host argument:

$ task-web --host 127.0.0.1