You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1.8 KiB
1.8 KiB
Security
Terakhir Diperbarui: 2026-06-29
Larangan Mutlak
- ❌ Jangan commit
.envke repository - ❌ Jangan commit password, API key, token, private key ke repository
- ❌ Jangan tampilkan nilai secret di output AI / log
- ❌ Jangan hardcode credentials di kode PHP atau script
Model Autentikasi
| Method | Digunakan Untuk | Keterangan |
|---|---|---|
| JWT (LDAP) | User login via browser | Login AD → JWT, expire configurable |
| API Token | Developer / personal access | Token per-user, scope-limited |
| Service Token | Antar-service (misal GeoNetAgent) | Token per-service, bisa di-sync |
Credential Management
| Secret | Lokasi |
|---|---|
Semua .env app |
/opt/stacks/geonet-console/.env di server — tidak di repo |
| LDAP bind password | .env server |
| PostgreSQL password | .env server |
| QNAP OSS secret key | .env server |
| SQL Server password | .env server |
| SSH private key | ~/.ssh/id_ed25519 di laptop developer |
| MikroTik SSH key (RSA) | ~/.ssh/id_rsa_mikrotik di laptop |
Nginx Security Headers
geonet-console sudah punya:
Strict-Transport-Security(HSTS)X-Frame-Options: SAMEORIGIN- Rate limiting: login 5 req/menit, general traffic
Aturan SSH
- SSH ke server wajib minta persetujuan user sebelum dijalankan
- Jangan auto-run SSH command destructive (rm, truncate, dll)
- Edit
.envhanya di server langsung — jangan sync dari laptop
Aturan AI Agent
- Jika diminta membuat credential baru: catat lokasi penyimpanan di
docs/environment.md, bukan nilainya - Jika token bocor: instruksikan user rotasi manual — jangan buat token baru di repo
- Jangan commit apapun yang mengandung password, token, atau key