Skip to main content
Security controls focus on authentication, secrets management, network isolation, TLS posture, and protective controls against abuse.

Authentication

Use JWT-based authentication with RSA key pairs so only authorized users interact with the platform. Single sign-on via OIDC or SAML 2.0 can be layered on when needed. Actionable steps:
  • Generate an RSA key pair (example):
openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in private.key -out public.key
  • Validate JWTs in your backend with the public key.
  • Rotate signing keys every 30-90 days for long-running deployments.

Secrets management

Centralize and encrypt sensitive data such as passwords, API keys, and tokens.
  • HashiCorp Vault for RBAC, audit logs, and encrypted storage.
    • Store a secret: vault kv put secret/dbpassword value="your-secure-password"
    • Retrieve secrets via Vault APIs or client libraries.
  • Docker Swarm secrets for encrypted in-transit and at-rest injection.
    • Create and use a secret:
echo "your-secure-password" | docker secret create db_password -
Include the secret in your compose or service definitions.

Network security

Run backend services on private overlay networks and expose only NGINX to the internet. Actionable steps:
  • Create a private overlay network:
docker network create --driver overlay private_network
  • Harden firewall rules to allow only the necessary ports (80/443) and block the rest, for example:
sudo ufw allow 80,443/tcp
sudo ufw default deny incoming
sudo ufw enable

TLS configuration

Encrypt all traffic with TLS 1.2 or higher and plan for seamless certificate rotation.
  • Enforce strong TLS in NGINX:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:...';
  • Maintain at least two certificates to rotate without downtime.

Additional security measures

  • Rate limiting: protect against abuse or DDoS using NGINX rate limits:
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
limit_req zone=mylimit burst=20;
  • IP allowlisting: restrict access to sensitive services:
sudo ufw allow from 192.168.1.0/24 to any port 3306
  • Log monitoring: collect and monitor logs (e.g., Prometheus alerts, Grafana dashboards, ELK/Loki) to detect suspicious activity.