Security audit

[jhodapp]

Requirements

1. Scan the code for any default passwords or security keys / tokens that could present a production security hole
2. Set strong, unique passwords and assign production keys / tokens to production deployment that never get checked into source control

[jhodapp]

Production Deployment Minimum Security Actions

• Check that all of our backend and frontend dependencies are up to date
• Check for any outstanding CVEs of medium severity or higher in dependencies and upstream container images being used
• Use refactor user for the postgres user instead of doadmin
• Change passwords everywhere:
  • Seeded admin user in the refactor DB
  • doadmin user password
• Double check file systems permissions on all deployed files for them being as restrictive as possible but still functions
  • Make sure deploy user owns everything in the deployment directory

[jhodapp]

Server Infrastructure

System Hardening

• Enable Ubuntu Pro with Security Guide (USG) for CIS benchmarks level 1
• Update system packages and enable automatic security updates
• Configure UFW firewall - only allow necessary ports (80, 443)
• Disable root SSH login and enforce SSH key authentication only
• SSH is not accessible from the public internet
• Install and configure Fail2Ban for intrusion prevention
• Set strong password policies and disable password authentication
• Configure sudo timeout and limit sudo access to specific users
• Check on group permissions and downgrade unnecessary user + group access
• Disable unnecessary services and remove unused packages
• Enable process accounting (psacct) for audit trails
• Configure log rotation and centralized logging
• Set proper file permissions (especially for config files)
• Enable AppArmor/SELinux if not already active
• Configure network time synchronization (NTP)
• Disable IPv6 if not needed

Monitoring and Logging

• Install monitoring tools (htop, iotop, netstat alternatives)
• Configure system monitoring with alerts for unusual activity
• Set up log analysis tools (rsyslog, journald configuration)
• Monitor disk usage and configure alerts
• Track failed login attempts and suspicious activities

[jhodapp]

Rust Backend Security

Development Environment

• Use stable Rust toolchain (not nightly for production)
• Keep default Cargo profile settings for security
• Run cargo audit regularly to check for vulnerable dependencies
• Use cargo outdated to identify outdated dependencies
• Check for unsafe code in dependencies using cargo-geiger
• Run clippy linter with security-focused rules
• Use rustfmt for consistent code formatting

Code Security

• Avoid unsafe blocks entirely unless absolutely necessary
• Use appropriate arithmetic operations to prevent overflows
• Implement comprehensive error handling with custom Error types
• Use ? operator instead of try! macro
• Avoid functions that can panic in production code
• Use .get() method for array access instead of direct indexing
• Handle FFI panic correctly if using foreign function interfaces
• Zero out sensitive data from memory after use
• Avoid memory leaks and check ManuallyDrop usage
• Validate all input data thoroughly
• Use prepared statements for database queries
• Implement rate limiting for API endpoints
• Add request timeout handling
• Use secure random number generation for tokens/keys

Dependencies and Libraries

• Audit all third-party crates for security issues
• Pin dependency versions in Cargo.lock
• Review licenses of all dependencies
• Minimize dependency count - remove unused crates
• Use only well-maintained crates with active communities
• Check for transitive dependencies with security issues

Runtime Security

• Run application as non-root user with minimal privileges
• Use systemd service files with security restrictions
• Configure resource limits (memory, CPU, file descriptors)
• Implement structured logging with appropriate log levels
• Add health check endpoints for monitoring
• Configure graceful shutdown handling
• Use secrets management (environment variables, vault)
• Implement JWT token validation with proper expiration
• Add CORS policies appropriately configured
• Use HTTPS only with proper TLS configuration

[jhodapp]

Next.js Frontend Security

• Production security guide reference

Framework Security

• Update to latest stable Next.js version (≥15.2.3 to avoid CVE-2025-29927)
• Enable TypeScript with strict mode
• Use Next.js built-in security features (CSP, headers)
• Configure security headers in next.config.js
• Implement Content Security Policy (CSP)
• Use next/head component for proper meta tags
• Enable HSTS headers for HTTPS enforcement
• Configure X-Frame-Options to prevent clickjacking
• Set X-Content-Type-Options to prevent MIME sniffing
• Configure Referrer-Policy appropriately

Build and Dependencies

• Audit npm packages using npm audit or yarn audit
• Update all dependencies to latest secure versions
• Remove unused dependencies and dev dependencies from production
• Use package-lock.json or yarn.lock for reproducible builds
• Configure .gitignore properly (exclude .env files)
• Run security scanners in CI/CD pipeline
• Use Snyk or similar for continuous security monitoring

Code Security

• Validate all user inputs on both client and server
• Sanitize data before rendering (prevent XSS)
• Use parameterized queries for database operations
• Implement proper authentication and session management
• Add CSRF protection for forms
• Use secure cookie settings (httpOnly, secure, sameSite)
• Implement proper authorization checks
• Avoid exposing sensitive data in client-side code
• Use environment variables for configuration
• Implement input validation on API routes

API Security

• Rate limit API endpoints to prevent abuse
• Implement proper error handling (don't expose stack traces)
• Use CORS correctly with appropriate origins
• Add request/response logging for monitoring
• Implement API versioning strategy
• Use proper HTTP status codes
• Add request size limits to prevent DoS
• Implement timeout handling for external requests

[jhodapp]

Database Security (PostgreSQL)

Managed DB Configuration

• Configure trusted sources (restrict to app server IPs only)
• Enable SSL/TLS encryption with verify-ca or verify-full mode
• Use connection pooling appropriately
• Set up monitoring for database performance and security
• Configure automated backups with appropriate retention
• Review firewall rules for database access
• Use VPC networking if available
• Monitor connection logs for suspicious activity

Database Security Best Practices

• Create dedicated database users with minimal privileges
• Avoid using superuser accounts for application connections
• Use separate databases for different environments
• Implement row-level security where appropriate
• Audit sensitive operations with logging
• Use prepared statements to prevent SQL injection
• Encrypt sensitive columns at application level if needed
• Regular security assessments of database access patterns
• Monitor for unusual query patterns
• Set connection limits appropriately
• Use SSL client certificates for enhanced authentication
• Regular password rotation for database users

[jhodapp]

Network and Infrastructure Security

Reverse Proxy

• Configure TLS 1.2/1.3 only with strong cipher suites
• Implement SSL/TLS certificates from Let's Encrypt or CA
• Configure HTTP to HTTPS redirects
• Set security headers in proxy configuration
• Implement rate limiting at proxy level
• Configure request size limits
• Hide server version information
• Set up log monitoring for proxy access/error logs
• Configure timeout settings appropriately
• Implement IP whitelisting if applicable

Digital Ocean Specific

• Configure VPC networking for internal communication
• Use private networking between services where possible
• Set up monitoring alerts for resource usage
• Configure backup strategies for droplets and data
• Review security groups and firewall rules
• Add a robots.txt to our frontend to try and dissuade unnecessary crawler traffic
• Enable DDoS protection if available
• Use load balancers for high availability
• Monitor droplet access logs

[jhodapp]

Secrets and Configuration Management

Environment Variables and Secrets

• Use strong, unique passwords for all services
• Rotate secrets regularly (quarterly minimum)
• Store secrets securely (never in code or version control)
• Use environment-specific configurations
• Implement secrets management service (HashiCorp Vault, SOPs, etc.)
• Audit access to secrets and configuration
• Use principle of least privilege for service accounts
• Encrypt configuration files containing sensitive data

API Keys and Tokens

• Use JWT tokens with appropriate expiration times
• Implement token refresh mechanisms
• Store API keys securely and rotate regularly
• Monitor API key usage for anomalies
• Implement API key scoping with minimal permissions
• Use different keys for different environments