# 🔒 Security & Production Guide - Aggios ## 🔐 Guia de Segurança ### 1. Secrets Management #### ⚠️ NUNCA commitear secrets ```bash # ❌ ERRADO DB_PASSWORD=minha_senha_secreta JWT_SECRET=abc123 # ✅ CORRETO # .env (não versionado no git) DB_PASSWORD=${DB_PASSWORD} JWT_SECRET=${JWT_SECRET} # Usar HashiCorp Vault / AWS Secrets Manager / etc ``` #### Geração de Secrets Seguros ```bash # JWT Secret (32+ caracteres aleatórios) openssl rand -base64 32 # Senhas de Banco openssl rand -base64 24 # Tokens de API python3 -c "import secrets; print(secrets.token_urlsafe(32))" ``` ### 2. Environment Configuration #### Development (.env.local) ```env ENV=development DB_SSL_MODE=disable JWT_SECRET=local_dev_key_not_secure CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:3001 MINIO_USE_SSL=false ``` #### Staging (.env.staging) ```env ENV=staging DB_SSL_MODE=require JWT_SECRET=$(openssl rand -base64 32) CORS_ALLOWED_ORIGINS=https://staging.aggios.app MINIO_USE_SSL=true ``` #### Production (.env.production) ```env ENV=production DB_SSL_MODE=require DB_POOL_SIZE=50 JWT_SECRET=$(openssl rand -base64 32) JWT_EXPIRATION=2h REFRESH_TOKEN_EXPIRATION=30d CORS_ALLOWED_ORIGINS=https://aggios.app,https://dash.aggios.app MINIO_USE_SSL=true RATE_LIMIT_REQUESTS=50 RATE_LIMIT_WINDOW=60 SENTRY_DSN=https://xxx@sentry.io/project LOG_LEVEL=info ``` ### 3. JWT Security #### Token Expiration Strategy ``` Access Token ├── Duração: 15-30 minutos ├── Escopo: operações sensíveis └── Armazenar: memória Refresh Token ├── Duração: 7-30 dias ├── Escopo: renovar access token └── Armazenar: secure HTTP-only cookie ``` #### Prevent Token Abuse ```go // 1. Revoke tokens on logout DELETE FROM refresh_tokens WHERE user_id = ? AND token_hash = ? // 2. Invalidate on password change DELETE FROM refresh_tokens WHERE user_id = ? // 3. Track token usage INSERT INTO token_audit (user_id, action, timestamp) // 4. Detect suspicious activity SELECT * FROM token_audit WHERE user_id = ? AND created_at > now() - interval '1 hour' HAVING count(*) > 100 ``` ### 4. Password Security #### Hashing com Argon2 ```go // ✅ CORRETO: Argon2id hash := argon2.IDKey( password, salt, time: 3, // iterations memory: 65536, // 64 MB parallelism: 4, keyLength: 32 ) // ❌ EVITAR // - MD5 // - SHA1 // - SHA256 sem salt // - bcrypt (mais fraco que Argon2) ``` #### Password Policy ``` Mínimo 12 caracteres em produção ├── Incluir maiúsculas (A-Z) ├── Incluir minúsculas (a-z) ├── Incluir números (0-9) ├── Incluir símbolos (!@#$%^&*) ├── Não reutilizar últimas 5 senhas ├── Expiração: opcional (preferir MFA) └── Histórico: manter por 1 ano ``` ### 5. HTTPS/TLS #### Certificados (Let's Encrypt via Traefik) ```yaml certificatesResolvers: letsencrypt: acme: email: admin@aggios.app storage: /letsencrypt/acme.json httpChallenge: entryPoint: web tlsChallenge: {} # fallback ``` #### Security Headers (Traefik) ```yaml middlewares: security-headers: headers: contentTypeNosniff: true # X-Content-Type-Options: nosniff browserXssFilter: true # X-XSS-Protection: 1; mode=block forceSTSHeader: true # Strict-Transport-Security stsSeconds: 31536000 # 1 ano stsIncludeSubdomains: true stsPreload: true # HSTS preload list customFrameOptionsValue: SAMEORIGIN # X-Frame-Options ``` ### 6. Database Security #### PostgreSQL Security ```sql -- 1. Criar usuário dedicado (sem superuser) CREATE USER aggios WITH PASSWORD 'strong_password_here'; GRANT CONNECT ON DATABASE aggios_db TO aggios; GRANT USAGE ON SCHEMA public TO aggios; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO aggios; -- 2. Habilitar SSL -- postgresql.conf ssl = on ssl_cert_file = '/path/to/server.crt' ssl_key_file = '/path/to/server.key' -- 3. Restrict connections -- pg_hba.conf # TYPE DATABASE USER ADDRESS METHOD host aggios_db aggios 127.0.0.1/32 md5 host aggios_db aggios ::1/128 md5 # Replicação (se houver) host replication replication 192.168.1.0/24 md5 -- 4. Row Level Security (RLS) ALTER TABLE users ENABLE ROW LEVEL SECURITY; CREATE POLICY user_isolation ON users FOR SELECT USING (tenant_id = current_setting('app.current_tenant')::uuid); -- 5. Audit Logging CREATE TABLE audit_log ( id BIGSERIAL PRIMARY KEY, table_name TEXT, operation TEXT, old_data JSONB, new_data JSONB, user_id UUID, timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP ); ``` #### SQL Injection Prevention ```go // ✅ CORRETO: Prepared Statements query := "SELECT * FROM users WHERE email = ? AND tenant_id = ?" rows, err := db.Query(query, email, tenantID) // ❌ ERRADO: String concatenation query := fmt.Sprintf("SELECT * FROM users WHERE email = '%s'", email) rows, err := db.Query(query) ``` ### 7. Redis Security #### Redis Authentication ```yaml # docker-compose.yml redis: command: redis-server --requirepass ${REDIS_PASSWORD} --appendonly yes environment: REDIS_PASSWORD: ${REDIS_PASSWORD} ``` #### Redis ACL (Redis 6+) ```bash # Criar usuário readonly para cache ACL SETUSER cache_user on >cache_password \ +get +strlen +exists +type \ ~cache:* \ &default ``` ### 8. MinIO Security #### Bucket Policies ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::minioadmin:user/backend" }, "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"], "Resource": "arn:aws:s3:::aggios/tenant-123/*" } ] } ``` #### Versioning & Lifecycle ```bash # Habilitar versionamento mc version enable minio/aggios # Lifecycle rules (delete old versions after 90 days) mc ilm rule list minio/aggios ``` ### 9. API Security #### Rate Limiting ```go // Implementar com Redis const ( maxRequests = 100 // por window windowSize = 60 * time.Second ) // Por IP key := fmt.Sprintf("rate_limit:%s", clientIP) count, _ := redis.Incr(key) redis.Expire(key, windowSize) if count > maxRequests { http.Error(w, "Too many requests", http.StatusTooManyRequests) } ``` #### CORS Configuration ```go // Whitelist específico allowedOrigins := []string{ "https://aggios.app", "https://dash.aggios.app", "https://admin.aggios.app", } // Validar cada request origin := r.Header.Get("Origin") for _, allowed := range allowedOrigins { if origin == allowed { w.Header().Set("Access-Control-Allow-Origin", origin) break } } ``` #### Input Validation ```go // Sempre validar if !emailRegex.MatchString(email) { return errors.New("invalid email") } if len(password) < 12 { return errors.New("password too weak") } if !subdomain.IsValidFormat() { return errors.New("invalid subdomain") } ``` ### 10. Monitoring & Alerting #### Detectar Anomalias ```yaml # Prometheus alerting rules groups: - name: security rules: - alert: HighFailedLogins expr: increase(login_failures_total[5m]) > 10 annotations: summary: "High rate of failed logins" - alert: UnusualAPIActivity expr: rate(api_requests_total[5m]) > 1000 annotations: summary: "Unusual API activity detected" - alert: DatabaseConnectionPool expr: pg_stat_activity_count > 45 annotations: summary: "Database connection pool near limit" ``` --- ## ✅ Production Checklist ### Infrastructure - [ ] DNS configurado e propagado - [ ] SSL/TLS certificados válidos (Let's Encrypt) - [ ] Firewall configurado (UFW/Security Groups) - [ ] SSH keys em vez de passwords - [ ] VPN para acesso administrativo - [ ] Load balancer configurado - [ ] CDN para assets estáticos (Cloudflare) - [ ] DDoS protection habilitado ### Database - [ ] PostgreSQL em production mode - [ ] SSL obrigatório nas conexões - [ ] Backups automatizados (diários) - [ ] Replicação configurada (alta disponibilidade) - [ ] Restore testing documentado - [ ] Slow query logging habilitado - [ ] Índices otimizados - [ ] Vacuuming configurado ### Application - [ ] Environment variables definidas - [ ] Secrets em vault (não em .env) - [ ] JWT_SECRET de 32+ caracteres - [ ] Logging estruturado habilitado - [ ] Error tracking (Sentry) - [ ] APM (Application Performance Monitoring) - [ ] Health checks implementados - [ ] Graceful shutdown ### Security - [ ] HTTPS everywhere - [ ] HSTS headers - [ ] CSP headers configurados - [ ] CORS restritivo - [ ] Rate limiting ativo - [ ] Authentication forte (JWT + MFA opcional) - [ ] Password hashing (Argon2) - [ ] SQL injection prevention (prepared statements) - [ ] XSS protection - [ ] CSRF tokens ### Secrets - [ ] JWT_SECRET rotacionado - [ ] DB_PASSWORD complexa (32+ chars) - [ ] REDIS_PASSWORD configurada - [ ] MINIO secrets seguros - [ ] API keys armazenadas em vault - [ ] Nenhum secret em git - [ ] Rotation policy documentada - [ ] Audit trail de acessos ### Testing - [ ] Unit tests (>80% coverage) - [ ] Integration tests - [ ] Load tests - [ ] Security tests (OWASP Top 10) - [ ] Penetration testing - [ ] Disaster recovery drill ### Monitoring - [ ] Logs centralizados (ELK) - [ ] Métricas (Prometheus) - [ ] Alertas configurados - [ ] Dashboard criado (Grafana) - [ ] Uptime monitoring (Pingdom) - [ ] Error tracking (Sentry) - [ ] Performance metrics ### Documentation - [ ] Runbook de incidents - [ ] Playbook de escalação - [ ] Procedure de rollback - [ ] Disaster recovery plan - [ ] API documentation - [ ] Architecture diagrams - [ ] Onboarding guide ### Compliance - [ ] GDPR compliance (se EU) - [ ] LGPD compliance (se Brazil) - [ ] Data retention policy - [ ] Privacy policy atualizada - [ ] Terms of service - [ ] Cookie policy - [ ] Audit logging enabled - [ ] Penetration test report ### Deployment - [ ] CI/CD pipeline configurado - [ ] Blue-green deployment - [ ] Canary releases - [ ] Automated rollback - [ ] Version control enabled - [ ] Change log maintained - [ ] Deployment approval process - [ ] Zero-downtime deployments ### Maintenance - [ ] Backup retention policy - [ ] Log retention policy - [ ] Certificate renewal automated - [ ] Package updates scheduled - [ ] Security patches applied - [ ] Documentation updated - [ ] Team training completed - [ ] Incident response team assigned --- ## 🆘 Incident Response ### Senha Comprometida 1. Invalidar todos os tokens JWT 2. Forçar password reset do usuário 3. Auditar atividade recente 4. Notificar usuário 5. Revisar outros usuários da organização ### Ataque DDoS 1. Ativar WAF/DDoS protection 2. Rate limiting agressivo 3. Escalate para CDN (Cloudflare) 4. Análise de tráfego 5. Documentar attack pattern ### Data Breach 1. Detectar scope do leak 2. Notificar usuários afetados 3. GDPR/LGPD notification 4. Investigação forense 5. Patch vulnerabilidade 6. Audit trail completo --- ## 📚 Referências de Segurança - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [CWE/SANS Top 25](https://cwe.mitre.org/top25/) - [PostgreSQL Security](https://www.postgresql.org/docs/current/sql-createrole.html) - [JWT Best Practices](https://tools.ietf.org/html/rfc8725) - [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) --- **Última atualização**: Dezembro 2025 **Versão**: 1.0.0 **Responsabilidade**: DevOps + Security Team