bitzorcas
EN

Guide

Production security checklist

Security checklist for deploying BitzOrcas to production — secrets, TLS, CORS, rate limiting, monitoring, and configuration requirements.

Last updated

Use this checklist to verify your BitzOrcas deployment meets production security requirements.

Secrets management

  • JWT secret ≥ 32 characters, stored in secrets manager (not appsettings.json)
  • HMAC client credentials in secrets manager, not checked into git
  • API keys stored securely; only SHA-256 hashes in runtime
  • Connection strings in secrets manager (Azure Key Vault / AWS Secrets Manager / etc.)
  • RabbitMQ credentials in secrets manager
  • dotnet user-secrets for local development only

TLS and transport

  • HTTPS everywhere — no HTTP endpoints in production
  • TLS 1.2+ minimum (TLS 1.3 preferred)
  • HSTS enabled with long max-age
  • Certificate auto-renewal configured

CORS configuration

  • CORS origins restricted to known frontend domains
  • AllowCredentials: true only if needed
  • No wildcard (*) origins with credentials

Authentication

  • JWT issuer and audience configured (not default values)
  • ClockSkew set to TimeSpan.Zero
  • Development test fixtures removed from production config
  • Token lifetime appropriate for your security model

Rate limiting

  • Rate limiting policies configured for production traffic
  • Redis backplane planned for multi-instance deployments
  • Sensitive endpoints (login, password reset) use sensitivePolicy

Observability

  • OTLP endpoint configured to your collector
  • Service name and deployment environment set
  • Audit log retention policy configured
  • Health check endpoints accessible to orchestrator

Database

  • SQL Server not exposed to public internet
  • Encrypted connections (TLS)
  • Separate credentials for API and JobHost
  • Regular backup schedule configured

Message broker

  • RabbitMQ not exposed to public internet
  • Management UI secured or disabled
  • Connection encrypted (TLS)
  • Dead letter exchange configured

Infrastructure

  • Container images from trusted registries
  • Non-root container user
  • Read-only filesystem where possible
  • Resource limits (CPU, memory) configured

Configuration checklist

{
  "Jwt": {
    "Secret": "≥32-chars-from-vault",
    "Issuer": "your-production-issuer",
    "Audience": "your-production-audience"
  },
  "Hmac": {
    "Clients": { "from-vault": "..." }
  },
  "OTEL_EXPORTER_OTLP_ENDPOINT": "https://your-collector:4317",
  "OTEL_SERVICE_NAME": "bitzorcas-api",
  "OTEL_DEPLOYMENT_ENVIRONMENT": "production"
}