78 lines
2.2 KiB
Markdown
78 lines
2.2 KiB
Markdown
# Security Guidelines
|
|
|
|
## Important Security Practices
|
|
|
|
### Environment Variables
|
|
|
|
1. **Never commit real credentials**
|
|
- Always use `.env.example` as a template
|
|
- Keep actual `.env` files in `.gitignore`
|
|
- Use different credentials for development and production
|
|
|
|
2. **Required secure values**:
|
|
```bash
|
|
# Generate a secure JWT secret (example using openssl)
|
|
openssl rand -base64 64
|
|
|
|
# Use strong passwords for MongoDB
|
|
# At least 16 characters with mixed case, numbers, and symbols
|
|
```
|
|
|
|
3. **Default credentials to change**:
|
|
- `SUPERADMIN_EMAIL`: Change from default
|
|
- `SUPERADMIN_PASSWORD`: Use a strong password
|
|
- `MONGO_INITDB_ROOT_USERNAME`: Don't use "admin"
|
|
- `MONGO_INITDB_ROOT_PASSWORD`: Use a unique password
|
|
- `JWT_SECRET`: Must be a long random string
|
|
|
|
### Production Security Checklist
|
|
|
|
- [ ] Change all default passwords
|
|
- [ ] Use HTTPS with valid SSL certificates
|
|
- [ ] Enable MongoDB authentication
|
|
- [ ] Set `NODE_ENV=production`
|
|
- [ ] Use environment-specific `.env` files
|
|
- [ ] Enable rate limiting on API endpoints
|
|
- [ ] Regularly update all dependencies
|
|
- [ ] Monitor logs for suspicious activity
|
|
- [ ] Implement backup strategy
|
|
- [ ] Use firewall rules to restrict access
|
|
|
|
### Git Security
|
|
|
|
Before committing:
|
|
1. Check for hardcoded credentials: `git diff --staged`
|
|
2. Verify `.gitignore` includes all sensitive files
|
|
3. Never commit:
|
|
- `.env` files
|
|
- SSL certificates
|
|
- Database dumps
|
|
- Log files
|
|
- Deployment packages
|
|
|
|
### API Security
|
|
|
|
The application implements:
|
|
- JWT authentication with expiration
|
|
- Password hashing with bcrypt
|
|
- Role-based access control
|
|
- Input validation
|
|
- CORS configuration
|
|
|
|
### Reporting Security Issues
|
|
|
|
If you discover a security vulnerability, please email security@yourdomain.com instead of using the issue tracker.
|
|
|
|
## Development vs Production
|
|
|
|
### Development
|
|
- Can use weaker passwords for convenience
|
|
- MongoDB without authentication is acceptable
|
|
- Self-signed certificates are fine
|
|
|
|
### Production
|
|
- Must use strong, unique passwords
|
|
- MongoDB authentication is mandatory
|
|
- Valid SSL certificates from Let's Encrypt or similar
|
|
- Regular security updates
|
|
- Monitoring and alerting |