fix(security): fail-fast on missing JWT_SECRET, harden CSP, strip hardcoded passwords
backend/api/rest/server.go:
- NewServer() now delegates to loadJWTSecret(), which:
- Rejects JWT_SECRET < 32 bytes (log.Fatal).
- Requires JWT_SECRET when APP_ENV=production or GO_ENV=production.
- Generates a 32-byte crypto/rand ephemeral secret in dev only.
- Treats rand.Read failure as fatal (removes the prior time-based
fallback that was deterministic and forgeable).
- Default Content-Security-Policy rewritten:
- Drops 'unsafe-inline' and 'unsafe-eval'.
- Drops private CIDRs (192.168.11.221:854[5|6]).
- Adds frame-ancestors 'none', base-uri 'self', form-action 'self'.
- CSP_HEADER is required in production; fatal if unset there.
backend/api/rest/server_security_test.go (new):
- Covers the three loadJWTSecret() paths (valid, whitespace-trimmed,
ephemeral in dev).
- Covers isProductionEnv() across APP_ENV / GO_ENV combinations.
- Asserts defaultDevCSP contains no unsafe directives or private CIDRs
and includes the frame-ancestors / base-uri / form-action directives.
scripts/*.sh:
- Removed 'L@kers2010' default value from SSH_PASSWORD / NEW_PASSWORD in
7 helper scripts. Each script now fails with exit 2 and points to
docs/SECURITY.md if the password isn't supplied via env or argv.
EXECUTE_DEPLOYMENT.sh, EXECUTE_NOW.sh:
- Replaced hardcoded DB_PASSWORD='L@ker$2010' with a ':?' guard that
aborts with a clear error if DB_PASSWORD (and, for EXECUTE_DEPLOYMENT,
RPC_URL) is not exported. Other env vars keep sensible non-secret
defaults via ${VAR:-default}.
README.md:
- Removed the hardcoded Database Password / RPC URL lines. Replaced with
an env-variable reference table pointing at docs/SECURITY.md and
docs/DATABASE_CONNECTION_GUIDE.md.
docs/DEPLOYMENT.md:
- Replaced 'PASSWORD: SSH password (default: L@kers2010)' with a
required-no-default contract and a link to docs/SECURITY.md.
docs/SECURITY.md (new):
- Full secret inventory keyed to the env variable name and the file that
consumes it.
- Five-step rotation checklist covering the Postgres role, the Proxmox
VM SSH password, JWT_SECRET, vendor API keys, and a gitleaks-based
history audit.
- Explicit note that merging secret-scrub PRs does NOT invalidate
already-leaked credentials; rotation is the operator's responsibility.
Verification:
- go build ./... + go vet ./... pass clean.
- Targeted tests (LoadJWTSecret*, IsProduction*, DefaultDevCSP*) pass.
Advances completion criterion 2 (Secrets & config hardened). Residual
leakage from START_HERE.md / LETSENCRYPT_CONFIGURATION_GUIDE.md is
handled by PR #2 (doc consolidation), which deletes those files.
This commit is contained in:
22
README.md
22
README.md
@@ -52,11 +52,23 @@ If the script doesn't work, see `START_HERE.md` for step-by-step manual commands
|
||||
|
||||
## Configuration
|
||||
|
||||
- **Database User:** `explorer`
|
||||
- **Database Password:** `L@ker$2010`
|
||||
- **RPC URL:** `http://192.168.11.250:8545`
|
||||
- **Chain ID:** `138`
|
||||
- **Port:** `8080`
|
||||
All secrets and environment-specific endpoints are read from environment
|
||||
variables — nothing is committed to this repo. See
|
||||
[docs/SECURITY.md](docs/SECURITY.md) for the rotation checklist and
|
||||
[docs/DATABASE_CONNECTION_GUIDE.md](docs/DATABASE_CONNECTION_GUIDE.md) for
|
||||
setup.
|
||||
|
||||
| Variable | Purpose | Example |
|
||||
|---|---|---|
|
||||
| `DB_USER` | Postgres role | `explorer` |
|
||||
| `DB_PASSWORD` | Postgres password (required, no default) | — |
|
||||
| `DB_HOST` | Postgres host | `localhost` |
|
||||
| `DB_NAME` | Database name | `explorer` |
|
||||
| `RPC_URL` | Besu / execution client RPC endpoint | `http://rpc.internal:8545` |
|
||||
| `CHAIN_ID` | EVM chain ID | `138` |
|
||||
| `PORT` | API listen port | `8080` |
|
||||
| `JWT_SECRET` | HS256 signing key (≥32 bytes, required in prod) | — |
|
||||
| `CSP_HEADER` | Content-Security-Policy header (required in prod) | — |
|
||||
|
||||
## Reusable libs (extraction)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user