Security Hardening
Use this checklist to harden production Strata deployments.
Runtime
- Run current stable image version
- Use immutable image tags in production
- Restrict network access to required ports only
Secrets
- Store secrets in a managed secrets system
- Rotate secrets on a defined schedule
Required protected secrets include:
LICENSE_KEYDB_PASSWORDSTRATA_SECRET_KEY_BASESTRATA_ENCRYPTION_PRIMARY_KEYSTRATA_ENCRYPTION_DETERMINISTIC_KEYSTRATA_ENCRYPTION_KEY_DERIVATION_SALT
TLS and transport
- Terminate TLS at a trusted reverse proxy or load balancer
- Use
ASSUME_SSL=trueandFORCE_SSL=truewhen SSL is enabled
Access control
- Apply least-privilege IAM/service-role policies
- Restrict container registry credentials to read-only for runtime hosts
- Restrict admin access to infrastructure and secrets systems
Logging and audit
- Centralize logs and retain by policy
- Alert on repeated auth or startup failures
- Keep deployment change history for traceability