[skywalking] branch master updated: Add Security Notice doc (#9737)

[wu...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git


The following commit(s) were added to refs/heads/master by this push:
     new f513161910 Add Security Notice doc (#9737)
f513161910 is described below

commit f5131619109bb572163dc9bfac608e9e54348406
Author: 吴晟 Wu Sheng <wu...@foxmail.com>
AuthorDate: Sat Oct 8 09:16:51 2022 +0800

    Add Security Notice doc (#9737)
---
 docs/en/changes/changes.md |  1 +
 docs/en/security/README.md | 30 ++++++++++++++++++++++++++++++
 docs/menu.yml              |  2 ++
 3 files changed, 33 insertions(+)

diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index eb9cba8c25..4ca4624d11 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -79,5 +79,6 @@
 * Move general good read blogs from `Agent Introduction` to `Academy`.
 * Add re-post for blog `Scaling with Apache SkyWalking` in the academy list.
 * Add re-post for blog `Diagnose Service Mesh Network Performance with eBPF` in the academy list.
+* Add **Security Notice** doc. 
 
 All issues and pull requests are [here](https://github.com/apache/skywalking/milestone/149?closed=1)
diff --git a/docs/en/security/README.md b/docs/en/security/README.md
new file mode 100644
index 0000000000..35e98d2fe0
--- /dev/null
+++ b/docs/en/security/README.md
@@ -0,0 +1,30 @@
+# Security Notice
+
+The SkyWalking OAP server and UI should run in a secure environment, such as only inside your data center.
+OAP server, UI, and all agents deployment should only be reachable by the operation team only on default
+deployment.
+
+All telemetry data are trusted. The OAP server **would not validate any field** of the telemetry data to avoid extra
+load for the server.
+
+It is up to the operator(OPS team) whether to expose the OAP server, UI, or some agent deployment to unsecured
+environment.
+The following security policies should be considered to add to secure your SkyWalking deployment.
+
+1. HTTPs and gRPC+TLS should be used between agents and OAP servers, as well as UI.
+2. Set up TOKEN or username/password based authentications for the OAP server and UI through your Gateway.
+3. Validate all fields in the body of the traceable RPC(including HTTP 1/2, MQ) headers when requests are from out of
+   the trusted zone.
+4. All fields of telemetry data(HTTP in raw text or encoded Protobuf format) should be validated and reject malicious
+   data.
+
+Without these protections, an attacker could embed executable Javascript code in those fields, causing XSS or even
+Remote Code Execution (RCE) issues.
+
+For some sensitive environment, consider to limit the telemetry report frequency in case of DoS/DDoS for exposed OAP
+and UI services.
+
+## appendix
+
+The SkyWalking [client-js](https://github.com/apache/skywalking-client-js) agent is always running out of the secured
+environment. Please follow its **security notice** for more details.
\ No newline at end of file
diff --git a/docs/menu.yml b/docs/menu.yml
index a87e597778..7b4dbb7b5f 100644
--- a/docs/menu.yml
+++ b/docs/menu.yml
@@ -209,6 +209,8 @@ catalog:
         path: "/en/protocols/readme"
       - name: "Query Protocol (GraphQL)"
         path: "/en/protocols/query-protocol"
+  - name: "Security Notice"
+    path: "/en/security/readme"
   - name: "Academy"
     catalog:
       - name: "Scaling SkyWalking server automatically in kubernetes"