Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
198fd3905b666f522a86db89d9eefdd94856a924
AegisGitea-MCP/docs/hardening.md

703 B
Raw Blame History

Hardening

Application Hardening

  • Secure defaults: localhost bind, write mode disabled, policy-enforced writes.
  • Strict config validation at startup.
  • Redacted secret handling in logs and responses.
  • Policy deny/allow model with path restrictions.
  • Non-leaking production error responses.

Container Hardening

  • Non-root runtime user.
  • no-new-privileges and dropped Linux capabilities.
  • Read-only filesystem where practical.
  • Explicit health checks.
  • Separate dev and production compose profiles.

Operational Hardening

  • Rotate API keys regularly.
  • Minimize Gitea bot permissions.
  • Keep policy file under change control.
  • Alert on repeated policy denials and auth failures.
Reference in New Issue View Git Blame Copy Permalink