added security considerations page with single section on max upload sizes (#3399)

Author: woutslakhorst

docs/index.rst

@@ -34,6 +34,7 @@ Nuts documentation
     pages/deployment/key-rotation.rst
     pages/deployment/audit-logging.rst
     pages/deployment/oauth.rst
+    pages/deployment/security-considerations.rst
 
 .. toctree::
     :maxdepth: 1

docs/pages/deployment/recommended-deployment.rst

@@ -181,8 +181,6 @@ Below is a list of items that should be addressed when running a node in product
 - Reverse proxy
    - Use a proxy in front of the node which terminates TLS
    - Make sure the reverse proxy sends the ``X-Forwarded-For`` header to log correct IP addresses
-- Key Management
-   - Have a scheduled key rotation procedure
 - Backup Management
    - Make sure data is backed up (data stored in SQL and private keys)
    - Have a tested backup/restore procedure
@@ -192,10 +190,7 @@ Below is a list of items that should be addressed when running a node in product
    - If not using ``did:nuts``, prevent access to:
       - The gRPC endpoint (e.g. by not mapping it in Docker).
       - The public ``/n2n`` and ``/public`` endpoints on HTTP ``:8080``. See the v5 documentation for deployments still using ``did:nuts``.
-   - Make sure internal HTTP endpoints (``:8081``) are not available from the outside.
-   - Consider protecting ``/internal`` with API authentication.
-- Availability
-   - Consider (D)DoS detection and protection for the ``/oauth2`` HTTP endpoints.
+   - consult general security considerations in the :ref:`security-considerations` section.
 
 Resource Requirements
 *********************

docs/pages/deployment/security-considerations.rst

@@ -0,0 +1,48 @@
+.. _security-considerations:
+
+Security Considerations
+#######################
+
+Please consult the topics below for various security considerations.
+
+Endpoint Security
+*****************
+
+It's important to prevent outside access to the internal API's. By default these are available from ``127.0.0.1:8081`` and are not protected with API security.
+When exposing the external APIs to your internal network, take the appropriate measures to secure the API's (SSH, API security, etc).
+
+In addition to securing the internal APIs, it's recommended to limit access to the public APIs using a reverse proxy.
+This will allow you to control access to the public APIs, do TLS termination and add additional security measures.
+Block any path that's not used by the Nuts node.
+
+D(D)oS Protection
+*****************
+
+Consider implementing (D)DoS protection on the application layer for all public endpoints.
+
+Maximum client body size for public-facing POST APIs
+****************************************************
+
+Various parts of the Nuts Node API allow for POST requests. To prevent abuse, you should limit the size of the request body.
+The following public APIs accept POST requests:
+
+- ``/discovery/{service}``
+- ``/oauth2/{subjectID}/token``
+- ``/oauth2/{subjectID}/request.jwt/{id}``
+- ``/oauth2/{subjectID}/response``
+
+To prevent malicious uploads, you MUST limit the size of the requests.
+
+For example, Nginx has a configuration directive to limit the size of the request body:
+
+.. code-block:: nginx
+
+    client_max_body_size 1M;
+
+The actual limit depends on your use case. It should be large enough for Verifiable Presentations to be uploaded, but small enough to prevent abuse.
+
+Key rotation
+************
+
+It's important to have a key rotation policy in place. The Nuts node uses keys for various signing operations.
+These operations are numerous and therefore keys should be rotated regularly.