MCP/mcpmc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mcpmc/docs/SECURITY.md
Ryan Malloy 4db7228a76 Organize documentation into docs/ directory 
- Move SECURITY.md, QUICK_START.md, MCPMC_STDIO_INTEGRATION.md to docs/
- Update README.md with documentation links
2025-09-18 12:12:18 -06:00

94 lines
2.7 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 1.0.x | :white_check_mark: |
## Security Configuration
### Environment Variables
This application requires environment variables for configuration. **Never commit `.env` files to the repository.**
1. Copy `.env.example` to `.env`
2. Update all placeholder values with secure credentials
3. Use strong, unique passwords for all services
### Required Security Configuration
#### Database Credentials
- `POSTGRES_PASSWORD`: Strong password (min 12 chars, mixed case, numbers, symbols)
- `PROCRASTINATE_PASSWORD`: Different strong password for task queue database
#### Domain Configuration
- `DOMAIN`: Your production domain (e.g., `mcpmc.yourdomain.com`)
- Update CORS origins in `src/mcpmc/main.py` to match your domain
#### Container Security
- Set `MCPMC_CONTAINER_MODE=true` in production containers
- Use read-only filesystems where possible
- Run containers with non-root users
### Production Deployment Security
#### CORS Configuration
The application automatically configures CORS origins based on your `DOMAIN` environment variable:
- Development: Allows localhost origins for testing
- Production: Uses `https://{DOMAIN}` and `https://api.{DOMAIN}`
- Security: Automatically removes localhost origins in production environments
Set your `DOMAIN` environment variable to configure CORS automatically:
```bash
DOMAIN=mcpmc.yourdomain.com
```
#### SSL/TLS
- Always use HTTPS in production
- Configure proper SSL certificates
- Use security headers (HSTS, CSP, etc.)
#### Network Security
- Use firewalls to restrict database access
- Implement rate limiting
- Monitor for suspicious activity
## Reporting a Vulnerability
If you discover a security vulnerability, please:
1. **Do NOT** open a public issue
2. Email security reports to: [Your security contact]
3. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if known)
We will acknowledge receipt within 48 hours and provide a fix timeline.
## Security Best Practices
### For Developers
- Never commit credentials to git
- Use environment variables for all sensitive data
- Run security scans on dependencies regularly
- Follow secure coding practices
### For Operators
- Keep dependencies updated
- Monitor security advisories
- Use strong authentication
- Implement proper logging and monitoring
- Regular security audits
## Security Features
- Input validation and sanitization
- SQL injection prevention via ORMs
- XSS protection through proper output encoding
- CSRF protection via CORS configuration
- Secure credential management
- Error handling without information disclosure
Reference in New Issue View Git Blame Copy Permalink