- Change default database credentials in
.env.prod - Generate strong SECRET_KEY (use
openssl rand -hex 32) - Use production API keys (not development/test keys)
- Remove or secure .env files (never commit to git)
- Set proper CORS origins (no wildcards in production)
- Review all environment variables for sensitive data
- Strong PostgreSQL password (min 16 chars, mixed case, numbers, symbols)
- Database not exposed to internet (no port mapping in production)
- Regular backups configured
- Database user has minimal privileges
- HTTPS enabled with valid SSL certificates
- Security headers configured (HSTS, CSP, X-Frame-Options)
- Rate limiting enabled on API endpoints
- Input validation on all endpoints
- Authentication/Authorization properly implemented
- Error messages don't leak sensitive information
- Non-root users in all containers
- Minimal base images (alpine/slim variants)
- No unnecessary packages installed
- Container health checks configured
- Resource limits set for containers
- Internal Docker network configured
- Services not directly exposed (only through nginx)
- Firewall rules configured on host
- VPN/Private network for administrative access
The nginx configuration includes these security headers:
# Prevent clickjacking
add_header X-Frame-Options DENY always;
# Prevent MIME type sniffing
add_header X-Content-Type-Options nosniff always;
# XSS Protection
add_header X-XSS-Protection "1; mode=block" always;
# Referrer Policy
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# HSTS (when using HTTPS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none';" always;Monitor these logs for security events:
- Failed authentication attempts
- Unusual API usage patterns
- Database connection errors
- Rate limit violations
- Service availability
- Response times
- Error rates
- Resource usage
- SSL Labs: Test SSL configuration
- OWASP ZAP: Security testing
- Docker Bench: Container security audit
- Trivy: Container vulnerability scanning
# Check for vulnerabilities in images
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image socialmediaflow_backend
# Check SSL configuration (if using HTTPS)
curl -I https://yourdomain.com
# Test security headers
curl -I http://yourdomain.com- Review access logs
- Check for failed login attempts
- Monitor resource usage
- Update container images
- Review and rotate API keys
- Check SSL certificate expiry
- Security scan of containers
- Full security audit
- Penetration testing
- Review and update security policies
- Update dependencies
- Hardcoded secrets in code
- Default passwords in production
- Overly permissive CORS settings
- Exposing internal services directly
- Running containers as root
- Missing security headers
- Unencrypted communication
- Insufficient logging
- No rate limiting
- Outdated dependencies