Security Hardening
This guide covers security best practices for hardening your Rack Gateway deployment.
Network Security
Section titled “Network Security”Private Network Deployment
Section titled “Private Network Deployment”Deploy the gateway on a private network, not exposed to the public internet:
Options:
- Tailscale - Zero-config VPN
- AWS VPN - Site-to-site VPN
- AWS PrivateLink - Private connectivity
TLS Configuration
Section titled “TLS Configuration”All traffic should use TLS:
# Required environment variablesGATEWAY_URL=https://gateway.example.com
# TLS certificate (for standalone deployment)TLS_CERT_FILE=/etc/ssl/certs/gateway.crtTLS_KEY_FILE=/etc/ssl/private/gateway.keyWhen deployed on Convox, TLS is handled by the load balancer.
Firewall Rules
Section titled “Firewall Rules”Restrict network access:
| Port | Source | Destination | Protocol |
|---|---|---|---|
| 443 | VPN/Tailscale | Gateway | HTTPS |
| 5432 | Gateway | RDS | PostgreSQL |
| 443 | Gateway | Convox API | HTTPS |
Block all other inbound traffic to the gateway.
Authentication Hardening
Section titled “Authentication Hardening”OAuth Configuration
Section titled “OAuth Configuration”Secure your OAuth setup:
# Required: Restrict to your domainGOOGLE_ALLOWED_DOMAIN=yourcompany.com
# Strong secret key (generate with: openssl rand -base64 32)APP_SECRET_KEY=<random-32-byte-value>MFA Enforcement
Section titled “MFA Enforcement”Require MFA for all users or privileged roles:
| Setting | Recommended Value | Notes |
|---|---|---|
| MFA Required | All users | Or at minimum, admins/deployers |
| Step-up Window | 10 minutes | Shorter for higher security |
| Trusted Device TTL | 7 days | Or disable for highest security |
Session Security
Section titled “Session Security”Configure secure session settings:
# Short idle timeout (5-15 minutes recommended)SESSION_TIMEOUT_MINUTES=5
# Secure cookies (automatic in production)SECURE_COOKIES=trueRBAC Hardening
Section titled “RBAC Hardening”Role Assignment
Section titled “Role Assignment”Follow least privilege principles:
| User Type | Role | Notes |
|---|---|---|
| Most engineers | Viewer | Start here, upgrade as needed |
| Active developers | Deployer | Only if deploying regularly |
| On-call/SRE | Ops | Debug without deploy access |
| CI/CD pipelines | CI/CD token | Never Deployer or Admin |
| Platform admins | Admin | 2-3 people maximum |
API Token Security
Section titled “API Token Security”Secure your API tokens:
-
Use CI/CD role for automation
Never give deployer or admin to CI/CD pipelines
-
Rotate tokens regularly
Production tokens: quarterly minimum
-
Use separate tokens per environment
Different tokens for staging vs production
-
Monitor token usage
Review unused tokens monthly
-
Delete unused tokens immediately
Don’t keep “just in case” tokens
Admin Access
Section titled “Admin Access”Restrict administrative access:
- Maximum 2-3 admin users
- Require MFA for all admins
- Review admin actions weekly
- Document who has admin access and why
Secrets Management
Section titled “Secrets Management”Environment Variables
Section titled “Environment Variables”Protect sensitive environment variables:
# Mark variables as protected (hidden in UI)PROTECTED_ENV_VARS=DATABASE_URL,API_KEY,SECRET_KEY
# Never log these patternsREDACT_PATTERNS=password,secret,token,key,credentialSecret Storage
Section titled “Secret Storage”Store secrets securely:
| Secret | Storage Location | Notes |
|---|---|---|
GOOGLE_CLIENT_SECRET | AWS Secrets Manager | Or Convox environment |
APP_SECRET_KEY | AWS Secrets Manager | Critical - rotate annually |
DATABASE_URL | Convox environment | With password |
| API tokens | CI/CD secrets | GitHub/CircleCI secrets |
Never store secrets in:
- Git repositories
- Environment files checked into git
- Logs or audit trails
- Error messages
Database Security
Section titled “Database Security”PostgreSQL Configuration
Section titled “PostgreSQL Configuration”Secure your database:
# RDS configuration (Terraform)resource "aws_db_instance" "gateway" { # Encryption at rest storage_encrypted = true kms_key_id = aws_kms_key.rds.arn
# Network isolation publicly_accessible = false vpc_security_group_ids = [aws_security_group.rds.id]
# Audit logging enabled_cloudwatch_logs_exports = ["postgresql"]}Database Access
Section titled “Database Access”Restrict database access:
- Gateway application only (no direct access)
- Separate admin credentials for migrations
- VPC-only access (no public endpoint)
- Encrypted connections (require SSL)
Audit and Monitoring
Section titled “Audit and Monitoring”Audit Configuration
Section titled “Audit Configuration”Enable comprehensive auditing:
# Enable all audit featuresAUDIT_ENABLED=trueAUDIT_LOG_REQUESTS=trueAUDIT_LOG_RESPONSES=false # Don't log response bodiesS3 WORM for Compliance
Section titled “S3 WORM for Compliance”For compliance requirements:
AUDIT_ANCHOR_S3_BUCKET=audit-anchor-productionAUDIT_ANCHOR_S3_REGION=us-east-1See Data Retention for full configuration.
Security Alerting
Section titled “Security Alerting”Configure alerts for security events:
# Slack notificationsSLACK_WEBHOOK_URL=https://hooks.slack.com/...SLACK_NOTIFY_SECURITY_EVENTS=true
# Email alertsPOSTMARK_API_KEY=your-keySECURITY_ALERT_EMAIL=security@example.comAlert on:
- Multiple failed login attempts
- RBAC denials
- Admin actions
- Account locks
- Token creation/deletion
Deployment Hardening
Section titled “Deployment Hardening”Container Security
Section titled “Container Security”Secure your container deployment:
services: gateway: # Run as non-root user user: "65534:65534"
# Read-only filesystem volumes: - /tmp:rw
# Resource limits cpu: 256 memory: 512Health Checks
Section titled “Health Checks”Configure health checks without exposing sensitive information:
services: gateway: health: path: /api/v1/health interval: 30 timeout: 5The health endpoint should not require authentication and should not expose internal details.
Security Checklist
Section titled “Security Checklist”Pre-Production
Section titled “Pre-Production”- Gateway on private network (VPN/Tailscale)
- HTTPS enforced with valid certificate
- OAuth domain restriction configured
- MFA required for privileged users
- Session timeout ≤ 15 minutes
- Admin users ≤ 3
- CI/CD uses CI/CD role tokens
- Database encrypted and VPC-only
- Audit logging enabled
- S3 WORM configured (if required)
- Security alerts configured
- Incident response runbook created
Ongoing
Section titled “Ongoing”- Weekly admin action review
- Monthly token audit
- Quarterly access review
- Annual secret rotation
- Regular security scanning
- Incident response testing
Security Headers
Section titled “Security Headers”The gateway sets secure HTTP headers:
| Header | Value | Purpose |
|---|---|---|
Strict-Transport-Security | max-age=31536000 | Force HTTPS |
X-Content-Type-Options | nosniff | Prevent MIME sniffing |
X-Frame-Options | DENY | Prevent clickjacking |
Content-Security-Policy | Strict policy | Prevent XSS |
X-XSS-Protection | 1; mode=block | XSS filter |
Content Security Policy
Section titled “Content Security Policy”The gateway uses a strict CSP:
default-src 'self';script-src 'self' 'nonce-xxx';style-src 'self' 'nonce-xxx';img-src 'self' data:;font-src 'self';connect-src 'self';frame-ancestors 'none';Incident Response
Section titled “Incident Response”Compromised Account
Section titled “Compromised Account”- Lock the account immediately
- Revoke all sessions
- Review audit logs for suspicious activity
- Rotate any accessed secrets
- Investigate root cause
- Unlock after re-verification
Compromised Token
Section titled “Compromised Token”- Delete the token immediately
- Review audit logs for token usage
- Create replacement token
- Update affected systems
- Investigate how token was exposed
Suspected Breach
Section titled “Suspected Breach”- Lock all non-admin accounts
- Revoke all sessions
- Rotate all secrets
- Enable enhanced logging
- Review last 30 days of audit logs
- Engage security team / incident response
Next Steps
Section titled “Next Steps”- Private Network - VPN deployment
- SOC 2 - Compliance alignment
- Audit Trail - Audit logging