[NX-204 Issue] Add secret management guidelines and enhance security notes
Some checks are pending
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Waiting to run
Migration Safety / Alembic upgrade/downgrade safety (push) Successful in 2m43s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Proxy Profile Validation / validate (push) Successful in 3s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 26s
Docker Publish (Release) / Build and Push Docker Images (release) Successful in 1m41s
Some checks are pending
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Waiting to run
Migration Safety / Alembic upgrade/downgrade safety (push) Successful in 2m43s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Proxy Profile Validation / validate (push) Successful in 3s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 26s
Docker Publish (Release) / Build and Push Docker Images (release) Successful in 1m41s
Introduced a comprehensive guide for secure production secret handling (`docs/security/secret-management.md`). Updated `.env.example` files with clearer comments on best practices, emphasizing not hardcoding secrets and implementing rotation strategies. Enhanced README with a new section linking to the secret management documentation.
This commit is contained in:
@@ -12,6 +12,7 @@ LOG_LEVEL=INFO
|
||||
# Core Database (internal metadata DB)
|
||||
# ------------------------------
|
||||
# Database that stores users, targets, metrics, query stats, and audit logs.
|
||||
# DEV default only. Use strong unique credentials in production.
|
||||
DB_NAME=nexapg
|
||||
DB_USER=nexapg
|
||||
DB_PASSWORD=nexapg
|
||||
@@ -23,7 +24,7 @@ DB_PORT=5433
|
||||
# ------------------------------
|
||||
# Host port mapped to backend container port 8000.
|
||||
BACKEND_PORT=8000
|
||||
# JWT signing secret. Change this in every non-local environment.
|
||||
# JWT signing secret. Never hardcode in source. Rotate regularly.
|
||||
JWT_SECRET_KEY=change_this_super_secret
|
||||
JWT_ALGORITHM=HS256
|
||||
# Access token lifetime in minutes.
|
||||
@@ -31,6 +32,7 @@ JWT_ACCESS_TOKEN_MINUTES=15
|
||||
# Refresh token lifetime in minutes (10080 = 7 days).
|
||||
JWT_REFRESH_TOKEN_MINUTES=10080
|
||||
# Key used to encrypt monitored target passwords at rest.
|
||||
# Never hardcode in source. Rotate with re-encryption plan.
|
||||
# Generate with:
|
||||
# python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
|
||||
ENCRYPTION_KEY=REPLACE_WITH_FERNET_KEY
|
||||
|
||||
Reference in New Issue
Block a user