Harden auth login against brute-force and refresh security docs

2026-03-01 18:24:26 -03:00
parent 9cbbd80f47
commit 4c27fd6483
12 changed files with 715 additions and 3 deletions
--- a/README.md
+++ b/README.md
@@ -73,6 +73,37 @@ Stop the stack:
 docker compose down
 ```

+## Security Must-Know Before Real User Deployment
+
+This repository starts in a development-friendly mode. Before exposing it to real users or untrusted networks, verify these controls:
+
+1. Environment mode and host binding:
+- Set `APP_ENV=production`.
+- Keep `HOST_BIND_IP=127.0.0.1` and publish through an HTTPS reverse proxy instead of broad host bind.
+
+2. Bootstrap credentials:
+- Replace all `AUTH_BOOTSTRAP_*` values with strong unique passwords before first public deployment.
+- Disable optional bootstrap user credentials unless they are needed.
+
+3. Processing log text persistence:
+- Keep `PROCESSING_LOG_STORE_MODEL_IO_TEXT=false` and `PROCESSING_LOG_STORE_PAYLOAD_TEXT=false` unless temporary debugging is required.
+- Enabling these values can store sensitive prompt, response, and payload text.
+
+4. Provider outbound restrictions:
+- Keep `PROVIDER_BASE_URL_ALLOW_HTTP=false` and `PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK=false`.
+- Set a strict `PROVIDER_BASE_URL_ALLOWLIST` containing only approved provider hosts.
+
+5. Public URL and CORS posture:
+- Use HTTPS in `PUBLIC_BASE_URL`.
+- Restrict `CORS_ORIGINS` to exact production frontend origins only.
+
+6. Redis transport security:
+- For live deployments, use `REDIS_URL` with `rediss://`, set `REDIS_SECURITY_MODE=strict`, and set `REDIS_TLS_MODE=required`.
+
+7. Development compose defaults:
+- Review `.env.example` and `docker-compose.yml` security-related defaults before deployment.
+- Do not promote development defaults unchanged into production.
+
 ## Common Operations

 Start or rebuild: