MCP/mcpmc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mcpmc/SECURITY.md
Ryan Malloy 8e3cee4f18 Security hardening: Fix CORS configuration and add security documentation 
- Replace wildcard CORS origins with restricted domain list
- Add comprehensive security patterns to .gitignore
- Create SECURITY.md with deployment security guidelines
- Restrict CORS methods and headers to minimum required
- Add security documentation for production deployment
2025-09-17 17:36:05 -06:00

92 lines
2.5 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 1.0.x | :white_check_mark: |
## Security Configuration
### Environment Variables
This application requires environment variables for configuration. **Never commit `.env` files to the repository.**
1. Copy `.env.example` to `.env`
2. Update all placeholder values with secure credentials
3. Use strong, unique passwords for all services
### Required Security Configuration
#### Database Credentials
- `POSTGRES_PASSWORD`: Strong password (min 12 chars, mixed case, numbers, symbols)
- `PROCRASTINATE_PASSWORD`: Different strong password for task queue database
#### Domain Configuration
- `DOMAIN`: Your production domain (e.g., `mcpmc.yourdomain.com`)
- Update CORS origins in `src/mcpmc/main.py` to match your domain
#### Container Security
- Set `MCPMC_CONTAINER_MODE=true` in production containers
- Use read-only filesystems where possible
- Run containers with non-root users
### Production Deployment Security
#### CORS Configuration
The application includes security-hardened CORS configuration. Update the `allowed_origins` list in `src/mcpmc/main.py` to include only your trusted domains:
```python
allowed_origins = [
"https://yourdomain.com",
"https://api.yourdomain.com",
]
```
#### SSL/TLS
- Always use HTTPS in production
- Configure proper SSL certificates
- Use security headers (HSTS, CSP, etc.)
#### Network Security
- Use firewalls to restrict database access
- Implement rate limiting
- Monitor for suspicious activity
## Reporting a Vulnerability
If you discover a security vulnerability, please:
1. **Do NOT** open a public issue
2. Email security reports to: [Your security contact]
3. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if known)
We will acknowledge receipt within 48 hours and provide a fix timeline.
## Security Best Practices
### For Developers
- Never commit credentials to git
- Use environment variables for all sensitive data
- Run security scans on dependencies regularly
- Follow secure coding practices
### For Operators
- Keep dependencies updated
- Monitor security advisories
- Use strong authentication
- Implement proper logging and monitoring
- Regular security audits
## Security Features
- Input validation and sanitization
- SQL injection prevention via ORMs
- XSS protection through proper output encoding
- CSRF protection via CORS configuration
- Secure credential management
- Error handling without information disclosure
Reference in New Issue View Git Blame Copy Permalink