# Security Guidelines

## Important Security Practices

### Environment Variables

1. **Never commit real credentials**
   - Always use `.env.example` as a template
   - Keep actual `.env` files in `.gitignore`
   - Use different credentials for development and production

2. **Required secure values**:
   ```bash
   # Generate a secure JWT secret (example using openssl)
   openssl rand -base64 64
   
   # Use strong passwords for MongoDB
   # At least 16 characters with mixed case, numbers, and symbols
   ```

3. **Default credentials to change**:
   - `SUPERADMIN_EMAIL`: Change from default
   - `SUPERADMIN_PASSWORD`: Use a strong password
   - `MONGO_INITDB_ROOT_USERNAME`: Don't use "admin"
   - `MONGO_INITDB_ROOT_PASSWORD`: Use a unique password
   - `JWT_SECRET`: Must be a long random string

### Production Security Checklist

- [ ] Change all default passwords
- [ ] Use HTTPS with valid SSL certificates
- [ ] Enable MongoDB authentication
- [ ] Set `NODE_ENV=production`
- [ ] Use environment-specific `.env` files
- [ ] Enable rate limiting on API endpoints
- [ ] Regularly update all dependencies
- [ ] Monitor logs for suspicious activity
- [ ] Implement backup strategy
- [ ] Use firewall rules to restrict access

### Git Security

Before committing:
1. Check for hardcoded credentials: `git diff --staged`
2. Verify `.gitignore` includes all sensitive files
3. Never commit:
   - `.env` files
   - SSL certificates
   - Database dumps
   - Log files
   - Deployment packages

### API Security

The application implements:
- JWT authentication with expiration
- Password hashing with bcrypt
- Role-based access control
- Input validation
- CORS configuration

### Reporting Security Issues

If you discover a security vulnerability, please email security@yourdomain.com instead of using the issue tracker.

## Development vs Production

### Development
- Can use weaker passwords for convenience
- MongoDB without authentication is acceptable
- Self-signed certificates are fine

### Production
- Must use strong, unique passwords
- MongoDB authentication is mandatory
- Valid SSL certificates from Let's Encrypt or similar
- Regular security updates
- Monitoring and alerting