Security Hardening Checklist
Configuration baseline
- Set strong production
JWT_SECRET.
- Restrict
FRONTEND_ORIGIN to trusted domain.
- Keep
APP_URL aligned with real public URL.
- Store SMTP/SES secrets outside repository.
Access control baseline
- Preserve RBAC checks on all write endpoints.
- Preserve ownership checks for user-scoped resources.
- Verify role assignments in user management regularly.
- Keep MIME allowlist and upload limits enforced.
- Keep request body size limits enabled.
- Keep Zod validation on all write routes.
Operations baseline
- Enable HTTPS termination at proxy/ingress.
- Back up SQLite + uploads regularly.
- Test restore flow periodically.
- Monitor outbox health flags and retry failures.