2.2 KiB
2.2 KiB
Security Guidelines
Important Security Practices
Environment Variables
-
Never commit real credentials
- Always use
.env.exampleas a template - Keep actual
.envfiles in.gitignore - Use different credentials for development and production
- Always use
-
Required secure values:
# Generate a secure JWT secret (example using openssl) openssl rand -base64 64 # Use strong passwords for MongoDB # At least 16 characters with mixed case, numbers, and symbols -
Default credentials to change:
SUPERADMIN_EMAIL: Change from defaultSUPERADMIN_PASSWORD: Use a strong passwordMONGO_INITDB_ROOT_USERNAME: Don't use "admin"MONGO_INITDB_ROOT_PASSWORD: Use a unique passwordJWT_SECRET: Must be a long random string
Production Security Checklist
- Change all default passwords
- Use HTTPS with valid SSL certificates
- Enable MongoDB authentication
- Set
NODE_ENV=production - Use environment-specific
.envfiles - Enable rate limiting on API endpoints
- Regularly update all dependencies
- Monitor logs for suspicious activity
- Implement backup strategy
- Use firewall rules to restrict access
Git Security
Before committing:
- Check for hardcoded credentials:
git diff --staged - Verify
.gitignoreincludes all sensitive files - Never commit:
.envfiles- SSL certificates
- Database dumps
- Log files
- Deployment packages
API Security
The application implements:
- JWT authentication with expiration
- Password hashing with bcrypt
- Role-based access control
- Input validation
- CORS configuration
Reporting Security Issues
If you discover a security vulnerability, please email security@yourdomain.com instead of using the issue tracker.
Development vs Production
Development
- Can use weaker passwords for convenience
- MongoDB without authentication is acceptable
- Self-signed certificates are fine
Production
- Must use strong, unique passwords
- MongoDB authentication is mandatory
- Valid SSL certificates from Let's Encrypt or similar
- Regular security updates
- Monitoring and alerting