HARDEN - nself-org/cli GitHub Wiki
Version: v0.9.9
Status: Active
Security hardening automation for nself deployments. This command provides automated fixes for common security issues identified by security audits, including weak secrets rotation, CORS configuration hardening, and other security best practices.
nself harden [command] [options]| Command | Description |
|---|---|
all |
Apply all hardening fixes automatically |
secrets |
Rotate weak or compromised secrets |
cors |
Fix CORS (Cross-Origin Resource Sharing) configuration |
help |
Show help information |
Running nself harden without a subcommand launches an interactive wizard:
nself hardenThe wizard will:
- Scan your configuration for security issues
- Present findings with severity levels
- Allow you to select which fixes to apply
- Apply selected hardening measures
- Verify the fixes were successful
nself harden allApplies all available security hardening measures:
- Rotates weak secrets (passwords < 32 characters)
- Fixes CORS configuration
- Hardens HTTP security headers
- Updates insecure defaults
Example:
nself harden allnself harden secretsIdentifies and rotates weak secrets in your configuration:
- Database passwords
- API keys and admin secrets
- JWT secrets
- Encryption keys
What it does:
- Scans environment files for secrets
- Identifies weak secrets (length, entropy, known patterns)
- Generates cryptographically strong replacements
- Updates environment files
- Restarts affected services
Example:
nself harden secretsnself harden corsHardens Cross-Origin Resource Sharing (CORS) configuration:
- Removes wildcard (
*) origins in production - Configures specific allowed origins
- Sets appropriate CORS headers
- Restricts methods and headers
Example:
nself harden cors# Run interactive wizard
nself harden
# Or apply all fixes non-interactively
nself harden all# Rotate only secrets
nself harden secrets
# Then rebuild and restart
nself build
nself restart# After security scan identifies CORS issues
nself harden corsScanned secrets:
POSTGRES_PASSWORDHASURA_GRAPHQL_ADMIN_SECRETHASURA_GRAPHQL_JWT_SECRETAUTH_SERVER_URLAUTH_SECRET_KEY- Custom API keys
Criteria for weak secrets:
- Length < 32 characters
- Low entropy (predictable patterns)
- Common passwords (dictionary check)
- Hardcoded defaults
Before:
HASURA_GRAPHQL_CORS_DOMAIN=*After:
HASURA_GRAPHQL_CORS_DOMAIN=https://yourdomain.com,https://app.yourdomain.comEnsures proper HTTP security headers:
X-Frame-Options: DENYX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=block-
Strict-Transport-Security(HSTS)
- Always run
nself build && nself restartafter hardening - Backup
.envfiles before applying changes - Test thoroughly in staging before production
- Some changes may require updating client applications
- Secrets rotation may invalidate existing sessions
# Check logs
nself logs
# Rollback to backup
cp .env.backup .env
nself build && nself restart# Check current CORS settings
nself config env | grep CORS
# Add your domain
nself harden cors
# Follow prompts to add allowed origins# Verify environment file was updated
cat .env | grep SECRET
# Force rebuild
nself build --force
nself restart- auth - Authentication and security
- config - Configuration management
- doctor - System diagnostics
- audit - Security auditing
Documentation: https://docs.nself.org/security/hardening
Category: Security