Capistrano executes deployment commands over SSH. Hardening focuses on SSH trust, least privilege on remote hosts, and safe secret handling.
¶ SSH Key and Host Verification
- Use dedicated deploy keys per environment.
- Enforce host key checking; do not disable known-host validation.
- Store host fingerprints centrally and rotate keys with change control.
- Use a non-root deploy user.
- Restrict sudo privileges to exact required commands.
- Limit writable paths to release directories only.
¶ Secrets and Environment Variables
- Do not commit secrets into
deploy.rb or stage files.
- Pull secrets from a vault or CI secret backend at runtime.
- Mask secrets in CI and deployment logs.
- Deploy from signed tags or protected branches.
- Pin dependency versions and verify checksums when applicable.
- Keep rollback strategy tested to avoid unsafe emergency edits.
¶ Logging and Auditing
- Log deployment initiator, commit SHA, target hosts, and outcome.
- Retain logs in a centralized immutable location.
- Alert on direct production deploys outside approved pipelines.