# Venture CRM Go-Live Security Checklist

## 1) Secrets and environment
- Set `CRM_ENV=production`.
- Set a strong `CRM_SECRET_KEY` (required in production mode).
- Set `CRM_CORS_ORIGIN` to your exact app origin (not `*`).
- Optional rate limits:
  - `CRM_LOGIN_RATE_LIMIT_PER_MIN` (default `20`)
  - `CRM_WRITE_RATE_LIMIT_PER_MIN` (default `300`)

## 2) Network access
- Preferred: Tailscale private access.
- Run app on local host machine; share via tailnet only.
- Restrict OS firewall to Tailscale interface where possible.

## 3) TLS/HTTPS
- If app is exposed beyond tailnet, place behind HTTPS reverse proxy (Caddy/Nginx/Traefik).
- Do not expose raw HTTP directly to the internet.

## 4) Accounts and auth
- Keep invite-only user creation through admin settings.
- Rotate temporary passwords after onboarding.
- Disable/deactivate stale users.

## 5) Backups and restore safety
- Keep scheduled backups enabled.
- Run backup verification after major updates.
- Test restore in a non-primary copy before production restore.

## 6) Operational monitoring
- Review activity feed and audit log regularly.
- Watch `429` responses as early abuse/misconfiguration signal.