Security Hardening

OPS Advanced

Security hardening checklist for production EZ-Console deployments.

Overview

This guide provides a comprehensive security hardening checklist for production deployments of EZ-Console applications.

Application Security

Encryption Key

Critical: Use strong encryption keys (32 bytes recommended):

# Generate secure key
openssl rand -hex 16  # 32 bytes

# Use in deployment
export GLOBAL_ENCRYPT_KEY=$(openssl rand -hex 16)

Never:

Use weak or predictable keys
Share encryption keys publicly
Change keys after data is encrypted

JWT Configuration

jwt:
  secret: "${JWT_SECRET}"  # Strong random string
  expiration: "24h"        # Reasonable expiration

Generate secure JWT secret:

openssl rand -base64 32

Password Policies

Configure strong password policies:

password_min_length: 12
password_require_uppercase: true
password_require_lowercase: true
password_require_number: true
password_require_special: true
password_expiration_days: 90
password_history_count: 5

Session Security

session_idle_timeout_minutes: 30
session_max_concurrent: 3
session_auto_renew: true

Network Security

HTTPS/SSL

Always use HTTPS in production:

Obtain SSL Certificate:
- Let's Encrypt (free)
- Commercial CA
- Internal CA
Configure Nginx:

server {
    listen 443 ssl http2;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-XSS-Protection "1; mode=block" always;
}

Redirect HTTP to HTTPS:

server {
    listen 80;
    return 301 https://$server_name$request_uri;
}

Firewall Configuration

# Allow only necessary ports
ufw allow 22/tcp    # SSH
ufw allow 80/tcp    # HTTP (redirects to HTTPS)
ufw allow 443/tcp   # HTTPS
ufw enable

Rate Limiting

// Configure rate limiting
engine.Use(rateLimitMiddleware(100, time.Minute))

Database Security

Database Credentials

Use strong passwords:

# Generate secure password
openssl rand -base64 32

Database Access

Restrict database access:

-- MySQL: Create dedicated user
CREATE USER 'myapp'@'localhost' IDENTIFIED BY 'secure-password';
GRANT SELECT, INSERT, UPDATE, DELETE ON myapp.* TO 'myapp'@'localhost';
FLUSH PRIVILEGES;

Never:

Use root user for application
Grant unnecessary privileges
Allow remote access without VPN/firewall

Database Encryption

Enable database encryption at rest (if supported by database).

Server Security

Operating System

Keep system updated:

# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y

# RHEL/CentOS
sudo yum update -y

Disable unnecessary services
Configure automatic security updates
Use SELinux/AppArmor (if available)

File Permissions

# Application files
chmod 755 /opt/myapp
chmod 600 /opt/myapp/config.yml

# Logs
chmod 640 /var/log/myapp/*

# Database (if SQLite)
chmod 600 /opt/myapp/*.db

User Permissions

Run application as non-root user:

# Create application user
sudo useradd -r -s /bin/false myapp

# Set ownership
sudo chown -R myapp:myapp /opt/myapp

Application Configuration

Security Headers

Configure security headers:

add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self'" always;

CORS Configuration

Restrict CORS to known origins:

config := cors.Config{
    AllowOrigins:     []string{"https://example.com"},
    AllowMethods:     []string{"GET", "POST", "PUT", "DELETE"},
    AllowHeaders:     []string{"Origin", "Content-Type", "Authorization"},
    ExposeHeaders:    []string{"Content-Length"},
    AllowCredentials: true,
    MaxAge:           12 * time.Hour,
}

Input Validation

Always validate and sanitize input:

func (c *ProductController) CreateProduct(ctx *gin.Context) {
    var req CreateProductRequest
    if err := ctx.ShouldBindJSON(&req); err != nil {
        // Validation failed
        return
    }
    
    // Additional validation
    if req.Name == "" {
        // Handle error
        return
    }
}

Monitoring and Logging

Audit Logging

Enable audit logging for all critical operations:

err := c.svc.StartAudit(ctx, "", func(auditLog *model.AuditLog) error {
    // Business logic
    auditLog.ResourceType = "product"
    auditLog.Action = "create"
    return err
})

Security Monitoring

Monitor for:

Failed login attempts
Unusual access patterns
Privilege escalation attempts
Data access anomalies

Log Security

Don't log passwords or tokens
Encrypt sensitive log data
Rotate logs regularly
Store logs securely

Access Control

Principle of Least Privilege

Grant minimum necessary permissions
Regular access reviews
Remove unused accounts
Limit admin access

Multi-Factor Authentication

Enable MFA for admin accounts:

mfa_enforced: true
mfa_totp_issuer: "My Company"

Account Lockout

Configure account lockout:

account_lockout_threshold: 5
account_lockout_duration_minutes: 60

Backup Security

Backup Encryption

Encrypt backup files:

tar -czf - /backups | openssl enc -aes-256-cbc -salt -out backup_encrypted.tar.gz

Backup Access

Restrict backup file access
Store backups securely
Encrypt backup storage

Security Checklist

Pre-Deployment

Post-Deployment

Security Updates

Application Updates

Keep EZ-Console framework updated:

go get -u github.com/sven-victor/ez-console@latest
go mod tidy

Dependency Updates

Regularly update dependencies:

go list -u -m all
go get -u ./...

System Updates

Enable automatic security updates:

# Ubuntu
sudo apt install unattended-upgrades

Incident Response

Security Incident Procedure

Identify: Detect security incident
Contain: Isolate affected systems
Eradicate: Remove threat
Recover: Restore normal operations
Learn: Post-incident review

Contact Information

Maintain:

Security team contacts
Vendor contacts
Incident response procedures

Security Settings - Security configuration
Troubleshooting - Security issues

Need help? Ask in GitHub Discussions.

Overview​

Application Security​

Encryption Key​

JWT Configuration​

Password Policies​

Session Security​

Network Security​

HTTPS/SSL​

Firewall Configuration​

Rate Limiting​

Database Security​

Database Credentials​

Database Access​

Database Encryption​

Server Security​

Operating System​

File Permissions​

User Permissions​

Application Configuration​

Security Headers​

CORS Configuration​

Input Validation​

Monitoring and Logging​

Audit Logging​

Security Monitoring​

Log Security​

Access Control​

Principle of Least Privilege​

Multi-Factor Authentication​

Account Lockout​

Backup Security​

Backup Encryption​

Backup Access​

Security Checklist​

Pre-Deployment​

Post-Deployment​

Security Updates​

Application Updates​

Dependency Updates​

System Updates​

Incident Response​

Security Incident Procedure​

Contact Information​

Related Topics​