Skip to content

Security: ChildWerapol/EU-Intelligence-Hub

Security

SECURITY.md

Security Checklist

Credentials Management ✅

Protected Files (NOT in git)

  • .env.production - Production credentials
  • .env - Development credentials
  • Prompt-*.txt - Project management files

Verified Security

# Check what's tracked by git
git ls-files | grep -E "\.env|Prompt"
# Should return NOTHING ✅

Credentials Summary

Production Credentials (Configured)

  • ✅ Admin Password: Securely stored in .env.production
  • ✅ Gemini API Key: Configured and working
  • ✅ Database Password: Auto-generated strong password
  • ✅ Redis Password: Auto-generated strong password
  • ✅ Secret Key: Auto-generated 64-char string

File Permissions

-rw------- .env.production  # 600 (owner read/write only)
-rw------- .env             # 600 (owner read/write only)

Security Best Practices

Before Deployment

  • Review .env.production - ensure all secrets are strong
  • Update ALLOWED_HOSTS with your actual domain
  • Update CORS_ORIGINS with your actual frontend URL
  • Change default admin password after first login
  • Enable firewall (allow only 22, 80, 443)
  • Set up SSH key authentication
  • Disable password SSH login

After Deployment

  • Setup SSL with Let's Encrypt
  • Test backup/restore procedure
  • Setup monitoring alerts
  • Review nginx logs regularly
  • Keep Docker and system packages updated
  • Setup automated security updates

Regular Maintenance

  • Rotate passwords every 90 days
  • Review access logs monthly
  • Update dependencies regularly
  • Test disaster recovery quarterly
  • Audit user access permissions

If Credentials Are Exposed

Immediate Actions

  1. Change all passwords immediately

    nano .env.production
# Update ADMIN_PASSWORD, POSTGRES_PASSWORD, REDIS_PASSWORD
./deploy.sh production

  2. Rotate API keys

    • Get new Gemini API key from Google Cloud Console
    • Update .env.production
    • Redeploy

  3. Check for unauthorized access

    docker-compose -f docker-compose.prod.yml logs | grep -i "error\|failed\|unauthorized"

  4. Review git history

    git log --all --full-history --source -- .env.production
# Should show NO commits ✅

Verification Commands

# Verify .env files are not in git
git status | grep .env
# Should return NOTHING

# Verify file permissions
ls -la .env*
# Should show -rw------- (600)

# Check gitignore
cat .gitignore | grep .env
# Should show .env files listed

# Verify no secrets in git history
git log --all --oneline | xargs git show | grep -i "password\|api_key\|secret"
# Review output carefully

Contact

If you discover a security vulnerability:

  1. Do NOT open a public GitHub issue
  2. Email security contact privately
  3. Allow 48 hours for response
  4. Coordinate disclosure timing

Last Updated: 2025-10-15 Status: ✅ All credentials secured

There aren’t any published security advisories