MCP/mcpmc

Ryan Malloy 8e3cee4f18 Security hardening: Fix CORS configuration and add security documentation

- Replace wildcard CORS origins with restricted domain list
- Add comprehensive security patterns to .gitignore
- Create SECURITY.md with deployment security guidelines
- Restrict CORS methods and headers to minimum required
- Add security documentation for production deployment

2025-09-17 17:36:05 -06:00

2.5 KiB

Raw Blame History

Security Policy

Supported Versions

Version	Supported
1.0.x	✅

Security Configuration

Environment Variables

This application requires environment variables for configuration. Never commit .env files to the repository.

Copy .env.example to .env
Update all placeholder values with secure credentials
Use strong, unique passwords for all services

Required Security Configuration

Database Credentials

POSTGRES_PASSWORD: Strong password (min 12 chars, mixed case, numbers, symbols)
PROCRASTINATE_PASSWORD: Different strong password for task queue database

Domain Configuration

DOMAIN: Your production domain (e.g., mcpmc.yourdomain.com)
Update CORS origins in src/mcpmc/main.py to match your domain

Container Security

Set MCPMC_CONTAINER_MODE=true in production containers
Use read-only filesystems where possible
Run containers with non-root users

Production Deployment Security

CORS Configuration

The application includes security-hardened CORS configuration. Update the allowed_origins list in src/mcpmc/main.py to include only your trusted domains:

allowed_origins = [
    "https://yourdomain.com",
    "https://api.yourdomain.com",
]

SSL/TLS

Always use HTTPS in production
Configure proper SSL certificates
Use security headers (HSTS, CSP, etc.)

Network Security

Use firewalls to restrict database access
Implement rate limiting
Monitor for suspicious activity

Reporting a Vulnerability

If you discover a security vulnerability, please:

Do NOT open a public issue
Email security reports to: [Your security contact]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if known)

We will acknowledge receipt within 48 hours and provide a fix timeline.

Security Best Practices

For Developers

Never commit credentials to git
Use environment variables for all sensitive data
Run security scans on dependencies regularly
Follow secure coding practices

For Operators

Keep dependencies updated
Monitor security advisories
Use strong authentication
Implement proper logging and monitoring
Regular security audits

Security Features

Input validation and sanitization
SQL injection prevention via ORMs
XSS protection through proper output encoding
CSRF protection via CORS configuration
Secure credential management
Error handling without information disclosure

2.5 KiB Raw Blame History