SECURITY BEST PRACTICES - nself-org/cli GitHub Wiki
Last Updated: January 31, 2026 Version: v0.9.6+
This guide provides comprehensive security best practices for nself projects, from development through production deployment.
- Quick Start Security Checklist
- Secret Management
- Development Security
- Production Security
- Compliance Guidelines
- Security Tools
- Incident Response
Before deploying to production, ensure you've completed these critical security tasks:
# 1. Run security scan
nself auth security scan --deep
# 2. Run production audit
nself auth security audit
# 3. Generate and review security report
nself auth security report
# 4. Rotate all default secrets
nself auth security rotate POSTGRES_PASSWORD
nself auth security rotate HASURA_GRAPHQL_ADMIN_SECRET
nself auth security rotate JWT_SECRET
# 5. Install git hooks to prevent secret commits
cp src/templates/git/pre-commit .git/hooks/pre-commit
chmod +x .git/hooks/pre-commitMUST FIX before production:
- Default Secrets - All secrets must be rotated from defaults
-
Hasura Console - Must be disabled in production (
HASURA_GRAPHQL_ENABLE_CONSOLE=false) - SSL/TLS - Must be enabled with valid certificates
-
File Permissions -
.envand.env.secretsmust be600 -
Git Exposure - Sensitive files must be in
.gitignore
nself automatically generates strong secrets during initialization:
# Initialize with strong random secrets
nself init
# Secrets are automatically generated:
# - POSTGRES_PASSWORD: 32 char alphanumeric
# - HASURA_GRAPHQL_ADMIN_SECRET: 64 char hex
# - JWT_SECRET: 64 char hex
# - MINIO_ROOT_PASSWORD: 32 char alphanumeric| Secret Type | Minimum Length | Character Set | Example |
|---|---|---|---|
| Passwords | 16 characters | Alphanumeric + symbols | aB3$dF7&kL9*nP2@qR5% |
| Admin Secrets | 32 characters | Hex | a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 |
| JWT Secrets | 64 characters | Hex |
a1b2c3... (64 chars) |
| API Keys | 32 characters | Alphanumeric | aBcD3FgH7JkL9MnP2QrS5TvW8XyZ |
Rotate secrets regularly (every 90 days recommended):
# Rotate specific secret
nself auth security rotate POSTGRES_PASSWORD
# This will:
# 1. Generate new strong random value
# 2. Create backup of old .env
# 3. Update secret in place
# 4. Prompt to restart servicesDevelopment:
-
.env- Local development secrets (gitignored) -
.env.local- Personal overrides (gitignored)
Production:
-
.env.secrets- Production secrets (gitignored, 600 permissions) - Vault integration (optional):
nself config vault enable
NEVER:
- โ Commit secrets to git
- โ Share secrets in Slack/email
- โ Log secrets in application logs
- โ Store secrets in docker-compose.yml
- Use Strong Defaults
# nself init generates strong random secrets by default
nself init
# Verify secrets are strong
nself auth security scan- Install Git Hooks
Prevent accidental secret commits:
# Install pre-commit hook
cp src/templates/git/pre-commit .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
# Now git will block commits containing:
# - .env files
# - Hardcoded secrets
# - Large files (>10MB)- Validate Configuration
# Check for security issues
nself auth security scan
# Check for misconfigurations
nself config validateSQL Injection Prevention:
-- โ BAD: String concatenation
EXECUTE 'SELECT * FROM users WHERE id = ' || user_id;
-- โ
GOOD: Parameterized query
EXECUTE 'SELECT * FROM users WHERE id = $1' USING user_id;XSS Prevention:
// โ BAD: Unescaped user input
div.innerHTML = userInput;
// โ
GOOD: Escaped output
div.textContent = userInput;
// โ
GOOD: React auto-escapes
<div>{userInput}</div>Run comprehensive audit before deploying:
# Full security audit
nself auth security audit
# Should check:
# โ SSL/TLS enabled
# โ Admin secrets configured
# โ Hasura console disabled
# โ CORS restricted
# โ Monitoring enabled
# โ Backups configured
# โ No exposed admin portsProduction .env requirements:
# Environment
ENV=production
# Security
HASURA_GRAPHQL_ENABLE_CONSOLE=false
HASURA_GRAPHQL_DEV_MODE=false
DEBUG=false
SSL_ENABLED=true
# CORS (restrict to your domain)
HASURA_GRAPHQL_CORS_DOMAIN=https://yourdomain.com
# Monitoring (required)
MONITORING_ENABLED=true
# Strong secrets (rotate from defaults!)
POSTGRES_PASSWORD=<64-char-random>
HASURA_GRAPHQL_ADMIN_SECRET=<96-char-random>
JWT_SECRET=<96-char-random># Generate SSL certificate
nself auth ssl generate yourdomain.com
# For Let's Encrypt (production)
SSL_MODE=letsencrypt
[email protected]
LETSENCRYPT_DOMAIN=yourdomain.com
# Verify SSL configuration
nself auth ssl infoFirewall Rules:
# Allow only necessary ports
# HTTP/HTTPS for public access
ufw allow 80/tcp
ufw allow 443/tcp
# SSH for administration (restrict to specific IPs)
ufw allow from 1.2.3.4 to any port 22
# Block everything else
ufw default deny incoming
ufw default allow outgoing
ufw enableContainer Network Isolation:
# docker-compose.yml - Internal network
services:
postgres:
networks:
- internal
# NO ports exposed!
hasura:
networks:
- internal
- external
# Exposed via nginx only
networks:
internal:
driver: bridge
internal: true
external:
driver: bridgeData Protection:
-
Data Minimization
- Only collect necessary data
- Document data retention policies
- Implement data deletion procedures
-
Right to Access
-- User data export query SELECT * FROM users WHERE id = $user_id; SELECT * FROM user_messages WHERE user_id = $user_id;
-
Right to be Forgotten
-- Anonymize user data UPDATE users SET email = '[email protected]', display_name = 'Deleted User', avatar_url = NULL WHERE id = $user_id; -- Or hard delete DELETE FROM users WHERE id = $user_id CASCADE;
-
Audit Logging
# Enable audit logging MONITORING_ENABLED=true AUDIT_LOGGING=true # Logs stored in: logs/audit.log
For healthcare applications:
-
Encryption
- Enable SSL/TLS for all connections
- Encrypt database backups
- Use encrypted volumes for data at rest
-
Access Controls
- Implement role-based access (RBAC)
- Require MFA for administrators
- Log all data access
-
Audit Trails
- Track all PHI access
- Store logs for 7 years minimum
- Implement automated alerting
Security Controls:
-
Access Management
# Enable MFA nself auth mfa enable --method=totp # Configure session timeouts AUTH_JWT_ACCESS_TOKEN_EXPIRES_IN=900 # 15 minutes AUTH_JWT_REFRESH_TOKEN_EXPIRES_IN=86400 # 24 hours
-
Change Management
- Document all deployments
- Require code reviews
- Maintain change logs
-
Incident Response
- Document security incidents
- Implement automated alerts
- Maintain incident response plan
# Basic scan (secrets, permissions, config)
nself auth security scan
# Deep scan (includes SQL injection, XSS)
nself auth security scan --deep
# Scan specific environment
nself auth security scan --env=.env.prodScan checks:
- โ Weak passwords/secrets
- โ Default secrets still in use
- โ Secrets exposed in git
- โ File permissions
- โ SQL injection vulnerabilities
- โ XSS risks
- โ Configuration security
- โ Container security
# Full production readiness audit
nself auth security audit
# Checks:
# - SSL/TLS configuration
# - Authentication security
# - Monitoring status
# - Backup configuration
# - Network security
# - Database security
# - Compliance readiness# Generate security report
nself auth security report --output=security-report.txt
# Share with security team
cat security-report.txt | mail -s "Security Audit" [email protected]# Rotate specific secret
nself auth security rotate POSTGRES_PASSWORD
# Rotate all secrets
for secret in POSTGRES_PASSWORD HASURA_GRAPHQL_ADMIN_SECRET JWT_SECRET; do
nself auth security rotate $secret
done
# Restart services to apply
nself restart-
Detection
# Monitor for suspicious activity nself logs --grep="authentication failed" nself logs --grep="permission denied" # Check for brute force attempts grep "Failed login" logs/auth.log | wc -l
-
Containment
# Immediately rotate compromised secrets nself auth security rotate HASURA_GRAPHQL_ADMIN_SECRET # Block suspicious IPs ufw deny from 1.2.3.4 # Disable compromised user accounts # (Use Hasura console or SQL)
-
Investigation
# Review audit logs tail -n 1000 logs/audit.log # Check for data exfiltration nself logs --since=24h --grep="SELECT.*FROM" # Generate forensic report nself auth security report --output=incident-$(date +%Y%m%d).txt
-
Recovery
# Restore from clean backup nself backup restore backup-YYYYMMDD-HHMMSS.sql # Verify system integrity nself doctor nself auth security scan --deep
-
Post-Incident
- Document incident timeline
- Update security procedures
- Implement additional controls
- Conduct post-mortem review
# Security team contacts (customize for your org)
[email protected]
SECURITY_TEAM_SLACK=#security-alerts
SECURITY_ONCALL=+1-555-SECURITY- Strong random secrets generated
-
.gitignoreincludes.env* - Git hooks installed
- Regular security scans
- No production data in dev
- Separate secrets from production
- SSL enabled
- Monitoring enabled
- Access restricted to team
- Regular security audits
- All default secrets rotated
- SSL/TLS with valid certificate
- Hasura console disabled
- CORS restricted to domain
- Monitoring and alerting enabled
- Backup strategy implemented
- Firewall configured
- Audit logging enabled
- MFA for admin accounts
- Incident response plan documented
# Security scanning
nself auth security scan # Basic scan
nself auth security scan --deep # Deep scan with SQL/XSS
nself auth security audit # Production audit
nself auth security report # Generate report
# Secret management
nself auth security rotate <SECRET> # Rotate secret
openssl rand -hex 32 # Generate 32-char hex
openssl rand -base64 32 # Generate 32-char base64
# SSL management
nself auth ssl generate # Generate self-signed
nself auth ssl renew # Renew Let's Encrypt
nself auth ssl info # Certificate info
nself auth ssl trust # Trust local certificates
# Monitoring
nself logs --grep="error" # Search logs
nself status # Service health
nself doctor # Diagnostics- nself Security Documentation
- SQL Injection Prevention
- Input Validation Reference
- Dependency Scanning
For security issues or questions:
- Security Email: [email protected]
- GitHub Issues: github.com/nself-org/cli/issues
- Documentation: nself.org/docs/security
Report security vulnerabilities privately to: [email protected]