Skip to content
Jetrepo
Esc
navigateopen⌘Jpreview
On this page

Security checklist

Review secrets, HTTPS, origins, cookies, public objects, keys, and logs.

Use this checklist before launch and after changes to topology, origins, credentials, images, or recovery policy.

Access

You need network, proxy, deployment-secret, OAuth, storage, and container administration.

Network and identity

  • Route only Admin app, Core API, Delivery API, Image service, and object S3 API through HTTPS.
  • Keep Postgres and Redis private. Keep the object-storage console private by default.
  • Use the exact Admin trusted origin and the narrowest AUTH_COOKIE_DOMAIN.
  • Include Apollo Studio in the CORS exposure review; Core’s shipped CORS policy allows that origin in addition to configured trusted origins.
  • Review or proxy-restrict the public /api/docs API reference and GraphQL landing page and introspection for your exposure policy.
  • Register the exact Google callback and restrict sign-in to the intended Workspace domain.
  • Test an allowed-domain account and a disallowed-domain account.

Secrets and data

  • Use unique, high-entropy Postgres, Redis, Better Auth, image-signing, object-storage, Google, and webhook credentials.
  • Keep secrets out of the checkout, browser bundles, shell history, screenshots, and shared Compose output.
  • Keep shared values synchronized across every consumer listed in Environment values.
  • Follow a service-specific rotation plan proven in isolation. Compose has no dual-secret overlap, and no credential rotation has been project-drilled.
  • Accept and test that the configured bucket permits anonymous object downloads. Do not store private material under that policy.
  • Treat the shared MINIO_ROOT_USER and MINIO_ROOT_PASSWORD as object-store administrator credentials. The supported Compose stack gives them to Core API, Worker, and Image service rather than issuing least-privilege application credentials; isolate those containers and rotate every consumer together.
  • Redact credentials, cookies, signed links, personal data, and content before exporting logs.

Supply chain and recovery

  • Record the trusted source revision and resolved image digests for every deployment.
  • Review floating third-party image changes before redeployment.
  • Protect backup destinations and deployment-secret copies separately from the host.
  • Prove an isolated restore and a compromise return plan before relying on backups.
  • Scan public exposure from outside the deployment network and confirm ports 5432, 6379, and an unprotected console are unreachable.

Test secret mismatch and recovery behavior in isolation, not by breaking a production consumer. Restoring a coherent old secret set is acceptable only when the old values are not compromised.

The production Compose definition adds no WAF, rate limiter, SIEM, log retention, secret manager, certificate manager, or incident-response automation. Credential rotation, revocation, external exposure scanning, digest pinning, and compromise recovery remain operator procedures without repository-backed drills.

Was this page helpful?