MacPro
33 lines
1.1 KiB
Markdown
33 lines
1.1 KiB
Markdown
# Venture CRM Go-Live Security Checklist
|
|
|
|
## 1) Secrets and environment
|
|
- Set `CRM_ENV=production`.
|
|
- Set a strong `CRM_SECRET_KEY` (required in production mode).
|
|
- Set `CRM_CORS_ORIGIN` to your exact app origin (not `*`).
|
|
- Optional rate limits:
|
|
- `CRM_LOGIN_RATE_LIMIT_PER_MIN` (default `20`)
|
|
- `CRM_WRITE_RATE_LIMIT_PER_MIN` (default `300`)
|
|
|
|
## 2) Network access
|
|
- Preferred: Tailscale private access.
|
|
- Run app on local host machine; share via tailnet only.
|
|
- Restrict OS firewall to Tailscale interface where possible.
|
|
|
|
## 3) TLS/HTTPS
|
|
- If app is exposed beyond tailnet, place behind HTTPS reverse proxy (Caddy/Nginx/Traefik).
|
|
- Do not expose raw HTTP directly to the internet.
|
|
|
|
## 4) Accounts and auth
|
|
- Keep invite-only user creation through admin settings.
|
|
- Rotate temporary passwords after onboarding.
|
|
- Disable/deactivate stale users.
|
|
|
|
## 5) Backups and restore safety
|
|
- Keep scheduled backups enabled.
|
|
- Run backup verification after major updates.
|
|
- Test restore in a non-primary copy before production restore.
|
|
|
|
## 6) Operational monitoring
|
|
- Review activity feed and audit log regularly.
|
|
- Watch `429` responses as early abuse/misconfiguration signal.
|