GeoNetAgent, LDAPWeb, server-audit, server-connection
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1.8 KiB

Security

Terakhir Diperbarui: 2026-06-29


Larangan Mutlak

  • Jangan commit .env ke repository
  • Jangan commit password, API key, token, private key ke repository
  • Jangan tampilkan nilai secret di output AI / log
  • Jangan hardcode credentials di kode PHP atau script

Model Autentikasi

Method Digunakan Untuk Keterangan
JWT (LDAP) User login via browser Login AD → JWT, expire configurable
API Token Developer / personal access Token per-user, scope-limited
Service Token Antar-service (misal GeoNetAgent) Token per-service, bisa di-sync

Credential Management

Secret Lokasi
Semua .env app /opt/stacks/geonet-console/.env di server — tidak di repo
LDAP bind password .env server
PostgreSQL password .env server
QNAP OSS secret key .env server
SQL Server password .env server
SSH private key ~/.ssh/id_ed25519 di laptop developer
MikroTik SSH key (RSA) ~/.ssh/id_rsa_mikrotik di laptop

Nginx Security Headers

geonet-console sudah punya:

  • Strict-Transport-Security (HSTS)
  • X-Frame-Options: SAMEORIGIN
  • Rate limiting: login 5 req/menit, general traffic

Aturan SSH

  • SSH ke server wajib minta persetujuan user sebelum dijalankan
  • Jangan auto-run SSH command destructive (rm, truncate, dll)
  • Edit .env hanya di server langsung — jangan sync dari laptop

Aturan AI Agent

  • Jika diminta membuat credential baru: catat lokasi penyimpanan di docs/environment.md, bukan nilainya
  • Jika token bocor: instruksikan user rotasi manual — jangan buat token baru di repo
  • Jangan commit apapun yang mengandung password, token, atau key