# Security > **Terakhir Diperbarui:** 2026-06-29 --- ## Larangan Mutlak - ❌ Jangan commit `.env` ke repository - ❌ Jangan commit password, API key, token, private key ke repository - ❌ Jangan tampilkan nilai secret di output AI / log - ❌ Jangan hardcode credentials di kode PHP atau script --- ## Model Autentikasi | Method | Digunakan Untuk | Keterangan | |--------|-----------------|------------| | **JWT (LDAP)** | User login via browser | Login AD → JWT, expire configurable | | **API Token** | Developer / personal access | Token per-user, scope-limited | | **Service Token** | Antar-service (misal GeoNetAgent) | Token per-service, bisa di-sync | --- ## Credential Management | Secret | Lokasi | |--------|--------| | Semua `.env` app | `/opt/stacks/geonet-console/.env` di server — **tidak di repo** | | LDAP bind password | `.env` server | | PostgreSQL password | `.env` server | | QNAP OSS secret key | `.env` server | | SQL Server password | `.env` server | | SSH private key | `~/.ssh/id_ed25519` di laptop developer | | MikroTik SSH key (RSA) | `~/.ssh/id_rsa_mikrotik` di laptop | --- ## Nginx Security Headers geonet-console sudah punya: - `Strict-Transport-Security` (HSTS) - `X-Frame-Options: SAMEORIGIN` - Rate limiting: login 5 req/menit, general traffic --- ## Aturan SSH - SSH ke server **wajib minta persetujuan user** sebelum dijalankan - Jangan auto-run SSH command destructive (rm, truncate, dll) - Edit `.env` hanya di server langsung — jangan sync dari laptop --- ## Aturan AI Agent - Jika diminta membuat credential baru: catat **lokasi penyimpanan** di `docs/environment.md`, bukan nilainya - Jika token bocor: instruksikan user rotasi manual — jangan buat token baru di repo - Jangan commit apapun yang mengandung password, token, atau key