[NX-204 Issue] Add secret management guidelines and enhance security notes
Some checks are pending
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Waiting to run
Migration Safety / Alembic upgrade/downgrade safety (push) Successful in 2m43s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Proxy Profile Validation / validate (push) Successful in 3s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 26s
Docker Publish (Release) / Build and Push Docker Images (release) Successful in 1m41s
Some checks are pending
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Waiting to run
Migration Safety / Alembic upgrade/downgrade safety (push) Successful in 2m43s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Proxy Profile Validation / validate (push) Successful in 3s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 26s
Docker Publish (Release) / Build and Push Docker Images (release) Successful in 1m41s
Introduced a comprehensive guide for secure production secret handling (`docs/security/secret-management.md`). Updated `.env.example` files with clearer comments on best practices, emphasizing not hardcoding secrets and implementing rotation strategies. Enhanced README with a new section linking to the secret management documentation.
This commit is contained in:
16
README.md
16
README.md
@@ -23,6 +23,7 @@ It combines FastAPI, React, and PostgreSQL in a Docker Compose stack with RBAC,
|
||||
- [Production Proxy Profile](#production-proxy-profile)
|
||||
- [PostgreSQL Compatibility Smoke Test](#postgresql-compatibility-smoke-test)
|
||||
- [Dependency Exception Flow](#dependency-exception-flow)
|
||||
- [Secret Management (Production)](#secret-management-production)
|
||||
- [Troubleshooting](#troubleshooting)
|
||||
- [Security Notes](#security-notes)
|
||||
|
||||
@@ -414,6 +415,19 @@ Python dependency vulnerabilities are enforced by CI via `pip-audit`.
|
||||
- Full process and required metadata are documented in:
|
||||
- `docs/security/dependency-exceptions.md`
|
||||
|
||||
## Secret Management (Production)
|
||||
|
||||
Secret handling guidance is documented in:
|
||||
|
||||
- `docs/security/secret-management.md`
|
||||
|
||||
It includes:
|
||||
|
||||
- secure handling for `JWT_SECRET_KEY`, `ENCRYPTION_KEY`, `DB_PASSWORD`, and SMTP credentials
|
||||
- clear **Do / Don't** rules
|
||||
- recommended secret provider patterns (Vault/cloud/orchestrator/CI injection)
|
||||
- practical rotation basics and operational checklist
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Backend container keeps restarting during `make migrate`
|
||||
@@ -448,3 +462,5 @@ Set target `sslmode` to `disable` (or correct SSL config on target DB).
|
||||
- RBAC enforced on protected endpoints
|
||||
- Audit logs for critical actions
|
||||
- Collector error logging includes throttling to reduce repeated noise
|
||||
- Production secret handling and rotation guidance:
|
||||
- `docs/security/secret-management.md`
|
||||
|
||||
Reference in New Issue
Block a user