erik/aggios.app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: site institucional completo com design system - Implementa\u00e7\u00e3o do site institucional da Aggios com design system completo incluindo gradientes, tipografia, componentes e se\u00e7\u00f5es de recursos, pre\u00e7os e CTA

Browse Source
This commit is contained in:
Erik Silva
2025-12-07 02:19:08 -03:00
parent 53f240a4da
commit bf6707e746
90 changed files with 25927 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

495
1. docs/backend-deployment/SECURITY.md Normal file
View File

@@ -0,0 +1,495 @@
# 🔒 Security & Production Guide - Aggios
## 🔐 Guia de Segurança
### 1. Secrets Management
#### ⚠️ NUNCA commitear secrets
```bash
# ❌ ERRADO
DB_PASSWORD=minha_senha_secreta
JWT_SECRET=abc123
# ✅ CORRETO
# .env (não versionado no git)
DB_PASSWORD=${DB_PASSWORD}
JWT_SECRET=${JWT_SECRET}
# Usar HashiCorp Vault / AWS Secrets Manager / etc
```
#### Geração de Secrets Seguros
```bash
# JWT Secret (32+ caracteres aleatórios)
openssl rand -base64 32
# Senhas de Banco
openssl rand -base64 24
# Tokens de API
python3 -c "import secrets; print(secrets.token_urlsafe(32))"
```
### 2. Environment Configuration
#### Development (.env.local)
```env
ENV=development
DB_SSL_MODE=disable
JWT_SECRET=local_dev_key_not_secure
CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:3001
MINIO_USE_SSL=false
```
#### Staging (.env.staging)
```env
ENV=staging
DB_SSL_MODE=require
JWT_SECRET=$(openssl rand -base64 32)
CORS_ALLOWED_ORIGINS=https://staging.aggios.app
MINIO_USE_SSL=true
```
#### Production (.env.production)
```env
ENV=production
DB_SSL_MODE=require
DB_POOL_SIZE=50
JWT_SECRET=$(openssl rand -base64 32)
JWT_EXPIRATION=2h
REFRESH_TOKEN_EXPIRATION=30d
CORS_ALLOWED_ORIGINS=https://aggios.app,https://dash.aggios.app
MINIO_USE_SSL=true
RATE_LIMIT_REQUESTS=50
RATE_LIMIT_WINDOW=60
SENTRY_DSN=https://xxx@sentry.io/project
LOG_LEVEL=info
```
### 3. JWT Security
#### Token Expiration Strategy
```
Access Token
├── Duração: 15-30 minutos
├── Escopo: operações sensíveis
└── Armazenar: memória
Refresh Token
├── Duração: 7-30 dias
├── Escopo: renovar access token
└── Armazenar: secure HTTP-only cookie
```
#### Prevent Token Abuse
```go
// 1. Revoke tokens on logout
DELETE FROM refresh_tokens WHERE user_id = ? AND token_hash = ?
// 2. Invalidate on password change
DELETE FROM refresh_tokens WHERE user_id = ?
// 3. Track token usage
INSERT INTO token_audit (user_id, action, timestamp)
// 4. Detect suspicious activity
SELECT * FROM token_audit
WHERE user_id = ? AND created_at > now() - interval '1 hour'
HAVING count(*) > 100
```
### 4. Password Security
#### Hashing com Argon2
```go
// ✅ CORRETO: Argon2id
hash := argon2.IDKey(
password, salt,
time: 3, // iterations
memory: 65536, // 64 MB
parallelism: 4,
keyLength: 32
)
// ❌ EVITAR
// - MD5
// - SHA1
// - SHA256 sem salt
// - bcrypt (mais fraco que Argon2)
```
#### Password Policy
```
Mínimo 12 caracteres em produção
├── Incluir maiúsculas (A-Z)
├── Incluir minúsculas (a-z)
├── Incluir números (0-9)
├── Incluir símbolos (!@#$%^&*)
├── Não reutilizar últimas 5 senhas
├── Expiração: opcional (preferir MFA)
└── Histórico: manter por 1 ano
```
### 5. HTTPS/TLS
#### Certificados (Let's Encrypt via Traefik)
```yaml
certificatesResolvers:
letsencrypt:
acme:
email: admin@aggios.app
storage: /letsencrypt/acme.json
httpChallenge:
entryPoint: web
tlsChallenge: {} # fallback
```
#### Security Headers (Traefik)
```yaml
middlewares:
security-headers:
headers:
contentTypeNosniff: true # X-Content-Type-Options: nosniff
browserXssFilter: true # X-XSS-Protection: 1; mode=block
forceSTSHeader: true # Strict-Transport-Security
stsSeconds: 31536000 # 1 ano
stsIncludeSubdomains: true
stsPreload: true # HSTS preload list
customFrameOptionsValue: SAMEORIGIN # X-Frame-Options
```
### 6. Database Security
#### PostgreSQL Security
```sql
-- 1. Criar usuário dedicado (sem superuser)
CREATE USER aggios WITH PASSWORD 'strong_password_here';
GRANT CONNECT ON DATABASE aggios_db TO aggios;
GRANT USAGE ON SCHEMA public TO aggios;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO aggios;
-- 2. Habilitar SSL
-- postgresql.conf
ssl = on
ssl_cert_file = '/path/to/server.crt'
ssl_key_file = '/path/to/server.key'
-- 3. Restrict connections
-- pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
host aggios_db aggios 127.0.0.1/32 md5
host aggios_db aggios ::1/128 md5
# Replicação (se houver)
host replication replication 192.168.1.0/24 md5
-- 4. Row Level Security (RLS)
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
CREATE POLICY user_isolation ON users FOR SELECT
USING (tenant_id = current_setting('app.current_tenant')::uuid);
-- 5. Audit Logging
CREATE TABLE audit_log (
id BIGSERIAL PRIMARY KEY,
table_name TEXT,
operation TEXT,
old_data JSONB,
new_data JSONB,
user_id UUID,
timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
```
#### SQL Injection Prevention
```go
// ✅ CORRETO: Prepared Statements
query := "SELECT * FROM users WHERE email = ? AND tenant_id = ?"
rows, err := db.Query(query, email, tenantID)
// ❌ ERRADO: String concatenation
query := fmt.Sprintf("SELECT * FROM users WHERE email = '%s'", email)
rows, err := db.Query(query)
```
### 7. Redis Security
#### Redis Authentication
```yaml
# docker-compose.yml
redis:
command: redis-server --requirepass ${REDIS_PASSWORD} --appendonly yes
environment:
REDIS_PASSWORD: ${REDIS_PASSWORD}
```
#### Redis ACL (Redis 6+)
```bash
# Criar usuário readonly para cache
ACL SETUSER cache_user on >cache_password \
+get +strlen +exists +type \
~cache:* \
&default
```
### 8. MinIO Security
#### Bucket Policies
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::minioadmin:user/backend"
},
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource": "arn:aws:s3:::aggios/tenant-123/*"
}
]
}
```
#### Versioning & Lifecycle
```bash
# Habilitar versionamento
mc version enable minio/aggios
# Lifecycle rules (delete old versions after 90 days)
mc ilm rule list minio/aggios
```
### 9. API Security
#### Rate Limiting
```go
// Implementar com Redis
const (
maxRequests = 100 // por window
windowSize = 60 * time.Second
)
// Por IP
key := fmt.Sprintf("rate_limit:%s", clientIP)
count, _ := redis.Incr(key)
redis.Expire(key, windowSize)
if count > maxRequests {
http.Error(w, "Too many requests", http.StatusTooManyRequests)
}
```
#### CORS Configuration
```go
// Whitelist específico
allowedOrigins := []string{
"https://aggios.app",
"https://dash.aggios.app",
"https://admin.aggios.app",
}
// Validar cada request
origin := r.Header.Get("Origin")
for _, allowed := range allowedOrigins {
if origin == allowed {
w.Header().Set("Access-Control-Allow-Origin", origin)
break
}
}
```
#### Input Validation
```go
// Sempre validar
if !emailRegex.MatchString(email) {
return errors.New("invalid email")
}
if len(password) < 12 {
return errors.New("password too weak")
}
if !subdomain.IsValidFormat() {
return errors.New("invalid subdomain")
}
```
### 10. Monitoring & Alerting
#### Detectar Anomalias
```yaml
# Prometheus alerting rules
groups:
- name: security
rules:
- alert: HighFailedLogins
expr: increase(login_failures_total[5m]) > 10
annotations:
summary: "High rate of failed logins"
- alert: UnusualAPIActivity
expr: rate(api_requests_total[5m]) > 1000
annotations:
summary: "Unusual API activity detected"
- alert: DatabaseConnectionPool
expr: pg_stat_activity_count > 45
annotations:
summary: "Database connection pool near limit"
```
---
## ✅ Production Checklist
### Infrastructure
- [ ] DNS configurado e propagado
- [ ] SSL/TLS certificados válidos (Let's Encrypt)
- [ ] Firewall configurado (UFW/Security Groups)
- [ ] SSH keys em vez de passwords
- [ ] VPN para acesso administrativo
- [ ] Load balancer configurado
- [ ] CDN para assets estáticos (Cloudflare)
- [ ] DDoS protection habilitado
### Database
- [ ] PostgreSQL em production mode
- [ ] SSL obrigatório nas conexões
- [ ] Backups automatizados (diários)
- [ ] Replicação configurada (alta disponibilidade)
- [ ] Restore testing documentado
- [ ] Slow query logging habilitado
- [ ] Índices otimizados
- [ ] Vacuuming configurado
### Application
- [ ] Environment variables definidas
- [ ] Secrets em vault (não em .env)
- [ ] JWT_SECRET de 32+ caracteres
- [ ] Logging estruturado habilitado
- [ ] Error tracking (Sentry)
- [ ] APM (Application Performance Monitoring)
- [ ] Health checks implementados
- [ ] Graceful shutdown
### Security
- [ ] HTTPS everywhere
- [ ] HSTS headers
- [ ] CSP headers configurados
- [ ] CORS restritivo
- [ ] Rate limiting ativo
- [ ] Authentication forte (JWT + MFA opcional)
- [ ] Password hashing (Argon2)
- [ ] SQL injection prevention (prepared statements)
- [ ] XSS protection
- [ ] CSRF tokens
### Secrets
- [ ] JWT_SECRET rotacionado
- [ ] DB_PASSWORD complexa (32+ chars)
- [ ] REDIS_PASSWORD configurada
- [ ] MINIO secrets seguros
- [ ] API keys armazenadas em vault
- [ ] Nenhum secret em git
- [ ] Rotation policy documentada
- [ ] Audit trail de acessos
### Testing
- [ ] Unit tests (>80% coverage)
- [ ] Integration tests
- [ ] Load tests
- [ ] Security tests (OWASP Top 10)
- [ ] Penetration testing
- [ ] Disaster recovery drill
### Monitoring
- [ ] Logs centralizados (ELK)
- [ ] Métricas (Prometheus)
- [ ] Alertas configurados
- [ ] Dashboard criado (Grafana)
- [ ] Uptime monitoring (Pingdom)
- [ ] Error tracking (Sentry)
- [ ] Performance metrics
### Documentation
- [ ] Runbook de incidents
- [ ] Playbook de escalação
- [ ] Procedure de rollback
- [ ] Disaster recovery plan
- [ ] API documentation
- [ ] Architecture diagrams
- [ ] Onboarding guide
### Compliance
- [ ] GDPR compliance (se EU)
- [ ] LGPD compliance (se Brazil)
- [ ] Data retention policy
- [ ] Privacy policy atualizada
- [ ] Terms of service
- [ ] Cookie policy
- [ ] Audit logging enabled
- [ ] Penetration test report
### Deployment
- [ ] CI/CD pipeline configurado
- [ ] Blue-green deployment
- [ ] Canary releases
- [ ] Automated rollback
- [ ] Version control enabled
- [ ] Change log maintained
- [ ] Deployment approval process
- [ ] Zero-downtime deployments
### Maintenance
- [ ] Backup retention policy
- [ ] Log retention policy
- [ ] Certificate renewal automated
- [ ] Package updates scheduled
- [ ] Security patches applied
- [ ] Documentation updated
- [ ] Team training completed
- [ ] Incident response team assigned
---
## 🆘 Incident Response
### Senha Comprometida
1. Invalidar todos os tokens JWT
2. Forçar password reset do usuário
3. Auditar atividade recente
4. Notificar usuário
5. Revisar outros usuários da organização
### Ataque DDoS
1. Ativar WAF/DDoS protection
2. Rate limiting agressivo
3. Escalate para CDN (Cloudflare)
4. Análise de tráfego
5. Documentar attack pattern
### Data Breach
1. Detectar scope do leak
2. Notificar usuários afetados
3. GDPR/LGPD notification
4. Investigação forense
5. Patch vulnerabilidade
6. Audit trail completo
---
## 📚 Referências de Segurança
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [CWE/SANS Top 25](https://cwe.mitre.org/top25/)
- [PostgreSQL Security](https://www.postgresql.org/docs/current/sql-createrole.html)
- [JWT Best Practices](https://tools.ietf.org/html/rfc8725)
- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)
---
**Última atualização**: Dezembro 2025
**Versão**: 1.0.0
**Responsabilidade**: DevOps + Security Team