Ports addresses for web vs api access

Or alternatively, have some webserver in front of Wekan that blocks API URLs

and only allows API calls from specific IP address

Related Docker settings here https://github.com/wekan/wekan/blob/master/docker-compose.yml#L565-L589

If doing it with only Docker

If you have Snap already, you can start additional wekan-app Docker-container without database, using settings at command line like this, with just Docker commands https://github.com/wekan/wekan/wiki/Docker

When currently coding that Worker role, I have been thinking should I add more granular role permissions, so it would be possible at Admin Panel define new roles, and specify can user with that role open cards, comment to cards, see what menu options, etc

Because otherwise I would need to code all different kind of roles myself to Wekan code

That permission system would probably be also needed with Organizations/Teams feature I'm developing

For example, which role has access to which Organization(s) or Team(s)

Or alternatively, I could try to fix current nearly-ready Worker role.

Hmm, I don't think is it a good idea to run snap+docker at the same time. It should be 2 snap or 2 docker.

If really 2 wekan installs would be required

otherwise Snap update to different version than Docker could mess up something

Maybe only one snap and some URL limiting webserver at front would be better

but I don't think having ELB in front of Wekan is good idea. Wekan requires websockets to work, and I don't know does ELB support websockets.

If there is websockets errors, you will see them in browser inspect console

Wekan does have bruteforce password guessing protections with accounts-lockout, there is snap settings for that, how many quesses are possible before blocking. Wekan also has XSS protection in web forms, and users that are not logged in can not change anything in database. Some permissions checks are serverside and some browserside, I have not tried yet is there a way to work around them in some way.

There is old hall of fame page for old security issues https://wekan.github.io/hall-of-fame/ although now that I look at it, there is old info. Wekan currently uses another accounts-lockout package and there is already settings for it.

I'm not currently aware of any existing security issues in Wekan. There is security page here https://github.com/wekan/wekan/blob/master/SECURITY.md

AFAIK old security issues have already been fixed

And Wekan dependencies are up-to-date in newest possible versions

BTW, did you listen to this episode of Security Now https://twit.tv/shows/security-now/episodes/746?autostart=false it has Show Notes here https://www.grc.com/sn/sn-746-notes.pdf it has info that it's possible for Open Source projects to ask Google to sponsor security fixes, there is link at PDF where to apply

I did ask, but it depends what they reply

Wow! That is a lot of great information. Thank you again. Here is some minor replies. AWS ELB (old style) can be made to pass websockets I believe by overloading input with TCP and http. Alternatively the application load balancer is supposed to be designed to pass websockets (no have not tried that as yet). I guess I will protect the api port addresses with whatever is in front of the wekan server be it proxy or elb, etc, and make the authentication system earn its keep. The most interesting part of your answers above is about granularity of access on objects exposed (cards and lists) by login. You listed out several reasons for, and methodologies (worker vs organization-teams), to provide limited access to exposed objects by authentication. Sounds like you are on track to get that done sometime soon. Kudos on that for you:). When I get past what I am doing, perhaps can see what exactly you are working on and if I can help, do some pull requesting on those subjects ,if the code is something I can get my head wrapped around. Otherwise what I might have to do in the mean time is register all my users of wekan through my app and let my auth system gateway to specific entities in wekan, (this card ok, this card not ok for this user. Really not sure if that is even doable versus easy. In a week I should be closer to knowing that. Thank you again sir :) All the best and Happy new Year.