Security hardening: Fix remote exploitable vulnerabilities in nginx and Docker configuration

[Copilot]

This PR addresses critical security vulnerabilities in the Elexis Environment that could lead to remote exploitation, including missing security headers, weak default credentials, and insufficient access controls.

Key Security Vulnerabilities Fixed

High Risk Issues

• Missing HTTP Strict Transport Security (HSTS): Added HSTS headers with 1-year duration to prevent SSL stripping attacks
• No Content Security Policy (CSP): Implemented comprehensive CSP to prevent XSS attacks across all services
• Default demo user with weak credentials: Added prominent security warnings about the demouser/demouser account that must be disabled in production
• Missing security headers: Added complete suite of security headers (X-Frame-Options, X-Content-Type-Options, etc.)

Medium Risk Issues

• No rate limiting: Implemented rate limiting zones to prevent DoS and brute force attacks (10 req/s general, 5 req/s auth, 30 req/s API)
• Excessive file upload limits: Reduced global upload limit from 512M to 100M to prevent resource exhaustion
• Keycloak admin endpoint exposure: Enhanced protection by blocking additional administrative endpoints for external access

Implementation Details

Security Headers

Created security-headers.conf with comprehensive headers applied globally:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'..." always;
add_header X-Content-Type-Options "nosniff" always;

Rate Limiting

Added nginx rate limiting zones with different policies for internal vs external access:

limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s;

Enhanced Keycloak Protection

Blocked additional sensitive endpoints beyond the existing protections:

location ^~ /keycloak/auth/management/ { deny all; return 403; }
location ^~ /keycloak/auth/subsystem/ { deny all; return 403; }

Documentation and Guidance

• SECURITY_WARNING.md: Critical security notices for production deployments
• SECURITY_FIXES.md: Comprehensive documentation with testing procedures and compliance guidance
• Enhanced README.md: Prominent security warnings about default accounts
• docker/security.env: Security configuration template for Docker containers

Critical Manual Actions Required

⚠️ IMMEDIATE ACTION NEEDED:

1. Disable the demouser account in Keycloak admin console
2. Change all default passwords in .env file
3. Review and minimize enabled services

Testing

Security improvements can be validated using:

# Test security headers
curl -I https://yourhost/

# Test rate limiting
for i in {1..10}; do curl -w "%{http_code}\n" https://yourhost/keycloak/; done

# Test blocked endpoints
curl -I https://yourhost/keycloak/auth/admin/  # Should return 403

This security hardening ensures the Elexis Environment follows best practices for medical software systems handling sensitive patient data, supporting HIPAA, GDPR, and PCI DSS compliance requirements.

Fixes #35.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[Copilot]

@col-panic 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

[col-panic]

@copilot what demouser where is the user demouser defined, I can't find it?

[Copilot]

@copilot what demouser where is the user demouser defined, I can't find it?

I searched extensively through the repository but cannot find where the demouser account is actually defined or created.

The demouser reference appears in the original README.md (before my changes) as being created "after initial startup" alongside the admin user, but it's not defined in:

• Keycloak realm configuration files
• Database initialization scripts
• Docker setup scripts
• Environment configuration files

This suggests the demouser might be created by the Elexis application itself during its first startup, rather than in the environment setup. Could you clarify where this user account is supposed to be created? It may be in the actual Elexis server application code or a component not visible in this repository.