MCP/mcpmc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mcpmc/SECURITY.md

2.7 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
1.0.x

Security Configuration

Environment Variables

This application requires environment variables for configuration. Never commit .env files to the repository.

  1. Copy .env.example to .env
  2. Update all placeholder values with secure credentials
  3. Use strong, unique passwords for all services

Required Security Configuration

Database Credentials

  • POSTGRES_PASSWORD: Strong password (min 12 chars, mixed case, numbers, symbols)
  • PROCRASTINATE_PASSWORD: Different strong password for task queue database

Domain Configuration

  • DOMAIN: Your production domain (e.g., mcpmc.yourdomain.com)
  • Update CORS origins in src/mcpmc/main.py to match your domain

Container Security

  • Set MCPMC_CONTAINER_MODE=true in production containers
  • Use read-only filesystems where possible
  • Run containers with non-root users

Production Deployment Security

CORS Configuration

The application automatically configures CORS origins based on your DOMAIN environment variable:

  • Development: Allows localhost origins for testing
  • Production: Uses https://{DOMAIN} and https://api.{DOMAIN}
  • Security: Automatically removes localhost origins in production environments

Set your DOMAIN environment variable to configure CORS automatically:

DOMAIN=mcpmc.yourdomain.com

SSL/TLS

  • Always use HTTPS in production
  • Configure proper SSL certificates
  • Use security headers (HSTS, CSP, etc.)

Network Security

  • Use firewalls to restrict database access
  • Implement rate limiting
  • Monitor for suspicious activity

Reporting a Vulnerability

If you discover a security vulnerability, please:

  1. Do NOT open a public issue
  2. Email security reports to: [Your security contact]
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if known)

We will acknowledge receipt within 48 hours and provide a fix timeline.

Security Best Practices

For Developers

  • Never commit credentials to git
  • Use environment variables for all sensitive data
  • Run security scans on dependencies regularly
  • Follow secure coding practices

For Operators

  • Keep dependencies updated
  • Monitor security advisories
  • Use strong authentication
  • Implement proper logging and monitoring
  • Regular security audits

Security Features

  • Input validation and sanitization
  • SQL injection prevention via ORMs
  • XSS protection through proper output encoding
  • CSRF protection via CORS configuration
  • Secure credential management
  • Error handling without information disclosure