6 files changed, 50 insertions, 5 deletions

diff --git a/doc/security/README.md b/doc/security/README.md
index 5d498ac7602..fe96f7f2846 100644
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -5,6 +5,7 @@ type: index
 
 # Security
 
+- [Password storage](password_storage.md)
 - [Password length limits](password_length_limits.md)
 - [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md)
 - [Rate limits](rate_limits.md)
@@ -17,3 +18,4 @@ type: index
 - [Enforce Two-factor authentication](two_factor_authentication.md)
 - [Send email confirmation on sign-up](user_email_confirmation.md)
 - [Security of running jobs](https://docs.gitlab.com/runner/security/)
+- [Proxying images](asset_proxy.md)
diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md
new file mode 100644
index 00000000000..f25910d3db7
--- /dev/null
+++ b/doc/security/asset_proxy.md
@@ -0,0 +1,28 @@
+A possible security concern when managing a public facing GitLab instance is
+the ability to steal a users IP address by referencing images in issues, comments, etc.
+
+For example, adding `![Example image](http://example.com/example.png)` to
+an issue description will cause the image to be loaded from the external
+server in order to be displayed.  However this also allows the external server
+to log the IP address of the user.
+
+One way to mitigate this is by proxying any external images to a server you
+control.  GitLab handles this by allowing you to run the "Camo" server
+[cactus/go-camo](https://github.com/cactus/go-camo#how-it-works).
+The image request is sent to the Camo server, which then makes the request for
+the original image.  This way an attacker only ever seems the IP address
+of your Camo server.
+
+Once you have your Camo server up and running, you can configure GitLab to
+proxy image requests to it.  The following settings are supported:
+
+| Attribute                | Description |
+| ------------------------ | ----------- |
+| `asset_proxy_enabled`    | (**If enabled, requires:** `asset_proxy_url`) Enable proxying of assets. |
+| `asset_proxy_secret_key` | Shared secret with the asset proxy server. |
+| `asset_proxy_url`        | URL of the asset proxy server. |
+| `asset_proxy_whitelist`  | Assets that match these domain(s) will NOT be proxied. Wildcards allowed. Your GitLab installation URL is automatically whitelisted. |
+
+These can be set via the [Application setting API](../api/settings.md)
+
+Note that a GitLab restart is required to apply any changes.
diff --git a/doc/security/information_exclusivity.md b/doc/security/information_exclusivity.md
index 749ccf924b5..7c3d7284f25 100644
--- a/doc/security/information_exclusivity.md
+++ b/doc/security/information_exclusivity.md
@@ -15,7 +15,7 @@ another project that is under their control, or onto another server.
 Therefore, it is impossible to build access controls that prevent the
 intentional sharing of source code by users that have access to the source code.
 
-This is an inherent feature of a DVCS. All git management systems have this
+This is an inherent feature of a DVCS. All Git management systems have this
 limitation.
 
 You can take steps to prevent unintentional sharing and information
diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md
new file mode 100644
index 00000000000..f4e32f96f7b
--- /dev/null
+++ b/doc/security/password_storage.md
@@ -0,0 +1,13 @@
+---
+type: reference
+---
+
+# Password Storage
+
+GitLab stores user passwords in a hashed format, to prevent passwords from being visible.
+
+GitLab uses the [Devise](https://github.com/plataformatec/devise) authentication library, which handles the hashing of user passwords. Password hashes are created with the following attributes:
+
+- **Hashing**: the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This is a strong, industry-standard cryptographic hashing function.
+- **Stretching**: Password hashes are [stretched](https://en.wikipedia.org/wiki/Key_stretching) to harden against brute-force attacks. GitLab uses a stretching factor of 10 by default.
+- **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt, to further increase security.
diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md
index b99bfb16829..09d29bf3446 100644
--- a/doc/security/rack_attack.md
+++ b/doc/security/rack_attack.md
@@ -77,9 +77,12 @@ authentication requests were received in a 3-minute period from a single IP addr
 This applies only to Git requests and container registry (`/jwt/auth`) requests
 (combined).
 
-This limit is reset by requests that authenticate successfully. For example, 29
-failed authentication requests followed by 1 successful request, followed by 29
-more failed authentication requests would not trigger a ban.
+This limit:
+
+- Is reset by requests that authenticate successfully. For example, 29
+  failed authentication requests followed by 1 successful request, followed by 29
+  more failed authentication requests would not trigger a ban.
+- Does not apply to JWT requests authenticated by `gitlab-ci-token`.
 
 No response headers are provided.
 
diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md
index c80f2f264b2..80088da77a0 100644
--- a/doc/security/rate_limits.md
+++ b/doc/security/rate_limits.md
@@ -30,4 +30,3 @@ similarly mitigated by a rate limit.
 This method of rate limiting is cumbersome, but has some advantages. It allows
 throttling of specific paths, and is also integrated into Git and container
 registry requests. See [Rack Attack initializer](rack_attack.md).
-