# Hardening

## Application Hardening

- Secure defaults: localhost bind, write mode disabled, policy-enforced writes.
- Strict config validation at startup.
- Redacted secret handling in logs and responses.
- Policy deny/allow model with path restrictions.
- Non-leaking production error responses.

## Container Hardening

- Non-root runtime user.
- `no-new-privileges` and dropped Linux capabilities.
- Read-only filesystem where practical.
- Explicit health checks.
- Separate dev and production compose profiles.

## Operational Hardening

- Rotate API keys regularly.
- Minimize Gitea bot permissions.
- Keep policy file under change control.
- Alert on repeated policy denials and auth failures.