Cannery stores firearm and ammunition inventory data, which is highly sensitive. Prioritize strict access controls, encrypted backups, and private network exposure only.
¶ 1) Identity and Access Management
- Disable public signup: Set
REGISTRATION=invite_only or disabled in private deployments
- Restrict admin accounts: Limit admin accounts to named operators and rotate credentials regularly
- Enforce strong passwords: Require complex passwords for all user accounts
- Multi-factor authentication: Implement MFA through upstream reverse proxy (Traefik, nginx with Authelia, etc.) as native MFA is not available
- Session management: Configure secure session handling and timeouts
- Log all administrative changes: Monitor role and permission changes
- HTTPS enforcement: Run Cannery only behind HTTPS reverse proxy with TLS termination
- Internal port security: Keep internal port 4000 accessible only to the reverse proxy
- Database isolation: Keep database service ports private and not exposed externally
- Firewall rules: Restrict access to the server to authorized IP addresses only
- Rate limiting: Implement rate limiting and brute-force protection on authentication endpoints via reverse proxy
- Encryption at rest: Encrypt database and backup artifacts at rest
- File permissions: Apply strict file permissions on storage paths used for records and attachments
- Secure secrets: Store sensitive configuration values (database passwords, SECRET_KEY_BASE) securely
- Backup encryption: Encrypt backup files and store them in secure locations
- Retention policy: Define retention and deletion policy for exported inventory reports
- Keep updated: Regularly update to the latest stable version to receive security patches
- Image scanning: Scan Docker images for vulnerabilities before deployment
- Non-root user: Run containers as non-root user where possible
- Resource limits: Set appropriate resource limits to prevent resource exhaustion attacks
- Input validation: Validate all inputs to prevent injection attacks
¶ 5) Monitoring and Logging
- Access logs: Maintain detailed access logs for audit purposes
- Authentication monitoring: Monitor failed login attempts and suspicious activities
- System monitoring: Monitor system resources and application health
- Alerting: Set up alerts for security-related events
- Minimal base image: Use minimal base images and keep them updated
- Image verification: Verify Docker image signatures when available
- Runtime security: Consider using runtime security tools to monitor container activity
- Volume security: Secure volume mounts and limit access to necessary directories only
- Strong passwords: Use strong, unique passwords for database access
- Connection security: Use encrypted connections to the database when possible
- Access controls: Limit database access to only the necessary services
- Regular updates: Keep the database software updated with security patches
- Cannery website: https://cannery.app
- Cannery source code: https://gitea.bubbletea.dev/shibao/cannery
Any questions?
Feel free to contact us. Find all contact information on our contact page.