Skip to content
This repository was archived by the owner on Mar 27, 2026. It is now read-only.

PRODUCTION_SECURITY.md

Latest commit

 

History

History
61 lines (39 loc) · 3.15 KB

PRODUCTION_SECURITY.md

File metadata and controls

61 lines (39 loc) · 3.15 KB

Production security — enable hardening

Purpose: DivineOS API can run with optional production security. By default it runs without it so local and dev use stay simple. For production or external verification, enable it with one env var. Security is opt-in; below is exactly what opt-in enables so a verifier knows what posture they are testing.

What opt-in enables (verifier reference)

When DIVINEOS_SECURITY_ENABLED=1 is set, the API server applies only the following. Nothing else is automatically enabled (e.g. JWT or API keys on routes are not applied by this flag alone).

Component What is enabled
CORS Restrictive allowed origins, methods, and headers (from law/security_implementation.py).
TrustedHost Middleware that validates the Host header against an allowed list (e.g. localhost, 127.0.0.1).
Security headers HSTS, X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, and related headers on responses.
Secrets validation On startup, SecretsManager.validate_secrets(raise_on_missing=False) runs; missing secrets are warned, startup is not blocked.

So the security posture under the flag is: hardening for cross-origin and host abuse, plus response headers and a non-blocking secrets check. For stricter posture (e.g. protect /process with API key or JWT), see SECURITY_IMPLEMENTATION.md and wire the desired pieces.

Enable production security

Set in the environment before starting the API:

export DIVINEOS_SECURITY_ENABLED=1   # Linux/macOS
set DIVINEOS_SECURITY_ENABLED=1      # Windows cmd
$env:DIVINEOS_SECURITY_ENABLED="1"   # Windows PowerShell

Then start the server as usual: python api_server.py (or uvicorn). The API will apply:

  • CORS — Restrictive origins, methods, headers (from law/security_implementation.py).
  • TrustedHost — Allowed hosts (e.g. localhost, 127.0.0.1).
  • Security headers — HSTS, X-Content-Type-Options, X-Frame-Options, CSP, etc.
  • Secrets validation — Warns if required secrets are missing (does not block startup by default).

Implementation: api_server.py calls apply_security_to_app(app) from law/security_implementation.py when the env var is set. See SECURITY_IMPLEMENTATION.md for the full list of 17 fixes (JWT, API keys, rate limiting, audit logging, etc.) and how to wire them further (e.g. protect /process with API key or JWT).

Secrets (when going to production)

For full hardening, set at least:

  • JWT_SECRET_KEY — Used for JWT auth if you add protected routes.
  • Any other secrets required by SecretsManager in law/security_implementation.py.

Never commit secrets; use env vars or a secrets manager.

Summary

Environment Security middleware
Default (unset) None
DIVINEOS_SECURITY_ENABLED=1 CORS, TrustedHost, SecurityHeaders, secrets check

So production hardening is opt-in: set the env var and the same API server runs with the security layer applied.