• About Raft
• User Guide
• Security
  • Authentication
  • Encryption
  • Other Security Measures
  • Security Limitations
• Development
• Deploying

Security Limitations

Raft’s security measures are not perfect:

• No security audit yet.

• Not possible to change the website’s domain. All passkeys and security keys get bound to the domain of the website. If you change the domain, all webauthn credentials are invalid. This is an inherent limitation in webauthn protocol.

• No option to re-key the database if the provider-maintained application key is leaked.

• Authorization is handled by server-side logic, not cryptography. This means if there is a bug in the webapp, a user could elevate their access from :view to :admin for a workspace.

• CSP style-src-attr inline is currently allowed.

• usernames are not encrypted at rest in the database. This could be fixed by either using a shared universal SRP seed or having login usernames be separate from profile usernames.

• there is not yet support for e2ee onlyoffice desktop editors (WIP), and when deploying for production the onlyoffice file cache store should be encrypted and the cache expiry should be set very low.