25 lines
703 B
Markdown
25 lines
703 B
Markdown
# Hardening
|
|
|
|
## Application Hardening
|
|
|
|
- Secure defaults: localhost bind, write mode disabled, policy-enforced writes.
|
|
- Strict config validation at startup.
|
|
- Redacted secret handling in logs and responses.
|
|
- Policy deny/allow model with path restrictions.
|
|
- Non-leaking production error responses.
|
|
|
|
## Container Hardening
|
|
|
|
- Non-root runtime user.
|
|
- `no-new-privileges` and dropped Linux capabilities.
|
|
- Read-only filesystem where practical.
|
|
- Explicit health checks.
|
|
- Separate dev and production compose profiles.
|
|
|
|
## Operational Hardening
|
|
|
|
- Rotate API keys regularly.
|
|
- Minimize Gitea bot permissions.
|
|
- Keep policy file under change control.
|
|
- Alert on repeated policy denials and auth failures.
|