Skip to content

Security Guide

Overview

Security best practices for deploying the Open Host Factory Plugin in production environments.

Authentication

JWT Bearer Token

{
  "server": {
    "auth": {
      "enabled": true,
      "strategy": "bearer_token",
      "bearer_token": {
        "secret_key": "your-very-secure-secret-key",
        "algorithm": "HS256",
        "token_expiry": 3600
      }
    }
  }
}

AWS IAM Authentication

{
  "server": {
    "auth": {
      "enabled": true,
      "strategy": "iam",
      "iam": {
        "region": "us-east-1",
        "required_actions": [
          "ec2:DescribeInstances",
          "ec2:RunInstances",
          "ec2:TerminateInstances"
        ]
      }
    }
  }
}

Network Security

HTTPS Configuration

{
  "server": {
    "require_https": true,
    "trusted_hosts": [
      "your-domain.com",
      "api.your-domain.com"
    ]
  }
}

CORS Configuration

{
  "server": {
    "cors": {
      "enabled": true,
      "origins": [
        "https://your-domain.com"
      ],
      "methods": ["GET", "POST", "PUT", "DELETE"],
      "headers": ["Authorization", "Content-Type"],
      "credentials": true
    }
  }
}

Container Security

Non-Root Execution

The Docker container runs as a non-root user (ohfp) for security:

RUN groupadd -r ohfp && useradd -r -g ohfp -s /bin/false ohfp
USER ohfp

Security Options

# Docker Compose
services:
  ohfp-api:
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=100m

Secrets Management

Environment Variables

# Use secure environment variables
HF_AUTH_BEARER_SECRET_KEY=your-secure-secret
AWS_ACCESS_KEY_ID=your-access-key
AWS_SECRET_ACCESS_KEY=your-secret-key

Docker Secrets

# Docker Compose with secrets
services:
  ohfp-api:
    secrets:
      - jwt-secret
    environment:
      HF_AUTH_BEARER_SECRET_KEY_FILE: /run/secrets/jwt-secret

secrets:
  jwt-secret:
    external: true

Kubernetes Secrets

apiVersion: v1
kind: Secret
metadata:
  name: ohfp-secrets
type: Opaque
data:
  jwt-secret: <base64-encoded-secret>

Production Security Checklist

  • [ ] Authentication enabled
  • [ ] Strong JWT secret key
  • [ ] HTTPS required
  • [ ] Trusted hosts configured
  • [ ] API documentation disabled in production
  • [ ] Non-root container execution
  • [ ] Resource limits set
  • [ ] Network isolation configured
  • [ ] Regular security updates
  • [ ] Vulnerability scanning enabled

For complete security configuration, see the deployment guide.