28 lines
849 B
Markdown
28 lines
849 B
Markdown
|
# Security Checklist
|
||
|
|
|
||
|
|
## Secrets handling
|
||
|
|
|
||
|
|
- Never commit `.env` or any file containing credentials.
|
||
|
|
- Use `.env.example` for non-sensitive defaults only.
|
||
|
|
- Set DB credentials through environment variables.
|
||
|
|
- Rotate credentials if they have ever appeared in git history.
|
||
|
|
|
||
|
|
## Database hardening
|
||
|
|
|
||
|
|
- Use a dedicated runtime user with least required privileges.
|
||
|
|
- Keep administrative users separate from ingestion users.
|
||
|
|
- Restrict DB network access to trusted hosts/VPC/private network.
|
||
|
|
- Enable SSL/TLS for non-local database connections.
|
||
|
|
|
||
|
|
## Publication readiness
|
||
|
|
|
||
|
|
Before making the repository public:
|
||
|
|
|
||
|
|
1. Confirm `git status` has no secret files staged.
|
||
|
|
2. Search for potential secret patterns:
|
||
|
|
- passwords
|
||
|
|
- API keys
|
||
|
|
- tokens
|
||
|
|
3. Verify `.gitignore` includes local secret files (`.env*`).
|
||
|
|
4. Regenerate credentials used during development.
|