Thanks for the tips, we've implemented some of those here. I'd like to put CSP in NodeBB core itself, so that's a separate issue...
General talk about the security off NodeBB
I thought i would start a thread for preople to talk about the security in NodeBB and if any of the devs could outline some things that would be awesome.
So yeah post away :d
How secure is NodeBB
@xCausxn There aren't any very good websocket mapping webscanners/tools, the only real option is intercepting each websocket transmission in burp and testing each one. From this I'd assume nobody has really bothered testing all the routes for security purposes.
The NodeBB team will patch security issues reported in the middle of the night in like 15 minutes, so they've got a great security posture.
From a permissions and logging standpoint NodeBB doesn't really step up to the plate. It's likely that if someone compromised your forum you'd have absolutely no helpful logs to detect the attacker or how they got in. This is probably the biggest security concern at the moment I'd say. The permissions system is a little haphazard right now, and I'd wager it is the most likely place you'd find security vulns(but more than likely it'd just be viewing information you shouldn't).
Luckily, if your forum was compromised, user passwords wouldn't really be too at risk. They use a secure hashing algorithm with automatic salts(you'll notice logging in takes a second!). This is because generating that hash is computationally expensive, a good thing.
Nice post, will definitely help other people too