gdegelas/grants
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dd13d72b5d
grants/SECURITY_CHECKLIST.md
gdegelas a05331128b Atlas Green Morocco — grant strategy platform 
- Full grant strategy framework for renewable energy & green hydrogen
- AI-powered grant studio, partner outreach, financial modeling
- Umami analytics with data-performance tracking
- Live Degelas metrics connected to solar.degelas.be
- Trilingual (EN/FR/AR) with i18n support
- Dockerized with Nginx frontend + Express API proxy
2026-06-01 09:44:03 +00:00

5.4 KiB
Raw Blame History

Production Security Checklist

Pre-Deployment

Environment Variables

  • Copy .env.example to .env
  • Set OPENAI_API_KEY to your actual key
  • (Optional) Set DEGELAS_API_URL and DEGELAS_API_KEY
  • Set CLIENT_ORIGIN to your actual domain (not *) for production
  • Verify .env is in .gitignore

Docker Security

  • Run containers as non-root user (add USER node to Dockerfile)
  • Use specific image tags (not latest) in production
  • Enable Docker content trust (DOCKER_CONTENT_TRUST=1)
  • Scan images for vulnerabilities (docker scan or Trivy)

Network Security

  • Configure firewall (UFW) to allow only ports 80, 443, and SSH
  • Set up fail2ban for SSH brute-force protection
  • Enable automatic security updates on the VPS
  • Use a non-root SSH user with key-based auth only

Post-Deployment

HTTPS Setup (Critical)

  • Obtain SSL certificate (Let's Encrypt via Certbot)
  • Configure Nginx for HTTPS (port 443)
  • Redirect HTTP to HTTPS
  • Enable HSTS (already in nginx.conf)
  • Test SSL configuration (SSL Labs test)

Monitoring

  • Set up log rotation for Nginx logs
  • Configure log monitoring (e.g., fail2ban, OSSEC)
  • Set up uptime monitoring (UptimeRobot, Pingdom)
  • Set up error alerting (email/Slack on 5xx errors)

Backup Strategy

  • Daily automated backups of VPS
  • Test restore procedure
  • Backup .env file securely (separate from VPS backup)

Access Control

  • Restrict SSH access to specific IPs if possible
  • Use SSH keys only (disable password auth)
  • Set up sudo with limited permissions
  • Document all access credentials securely

Hardening Applied

Nginx Hardening (in nginx.conf)

Server tokens hidden (no version disclosure) Buffer size limits configured Timeout limits configured (slowloris protection) Rate limiting on /api/ (10 req/s with burst) Security headers (X-Frame-Options, CSP, HSTS, etc.) Sensitive file access denied (/.* paths) Static assets cached with immutable flag

Express Hardening (in server/index.ts)

Helmet security middleware (CSP, XSS protection, etc.) CORS with validated origins Request size limits (1MB) Rate limiting (100 req/15min per IP) Input validation with Zod Structured logging with Pino Global error handler (sanitized in production) 404 handler Environment validation on startup Sensitive data redaction in logs

Docker Hardening

Multi-stage build (no dev deps in runtime) Alpine-based images (smaller attack surface) Health checks configured Service dependencies with health conditions Restart policies (unless-stopped)

Recommended Additional Steps

For High-Security Deployments

  1. Run containers as non-root

    • Add USER node to Dockerfile after WORKDIR
    • Ensure file permissions allow non-root access

  2. Network segmentation

    • Put API server in separate Docker network
    • Only Nginx exposed to external network

  3. Secrets management

    • Use Docker secrets or external vault (not .env files)
    • Rotate API keys regularly

  4. WAF (Web Application Firewall)

    • Consider Cloudflare or AWS WAF in front
    • Enable OWASP ruleset

  5. DDoS protection

    • Use Cloudflare or similar CDN
    • Configure rate limits at edge

Incident Response Plan

If Compromised

  1. Isolate: Stop affected containers
  2. Assess: Check logs for scope of breach
  3. Rotate: Change all API keys and secrets
  4. Patch: Update all dependencies
  5. Restore: Restore from clean backup if needed
  6. Document: Record timeline and actions taken

Contact Information

  • Server Admin: [your contact]
  • Security Contact: [your contact]
  • Backup Location: [location]

Regular Maintenance

Weekly

  • Review error logs
  • Check disk space
  • Review access logs for anomalies

Monthly

  • Update system packages
  • Update Docker images
  • Review and rotate API keys
  • Test backup restoration

Quarterly

  • Security audit (dependencies, configs)
  • Penetration testing (optional but recommended)
  • Review and update firewall rules
  • Review access logs and user access

Compliance Notes

GDPR

  • User data is minimal (no personal data stored by default)
  • Logs contain IP addresses (consider log retention policy)
  • Add privacy policy page if collecting any user data

SOC2 (if applicable)

  • Logging is enabled and structured
  • Access control via SSH keys
  • Change management via git
  • Consider adding audit logging for API access

Quick Commands Reference

# View container logs
docker compose logs -f

# View specific service logs
docker compose logs -f api-server
docker compose logs -f frontend

# Restart services
docker compose restart

# Update and redeploy
git pull
docker compose up -d --build

# Check disk usage
df -h
docker system df

# Clean up old images
docker image prune -a

# Check running containers
docker compose ps

# Access container shell
docker compose exec api-server /bin/sh

Emergency Contacts

Service Contact Phone
VPS Provider [provider support] [phone]
Domain Registrar [registrar support] [phone]
SSL Provider Let's Encrypt N/A
Internal Admin [your name] [your phone]

Last Updated: January 2026
Version: 1.0