Inventaire combines user inventory data with external bibliographic data flows (Wikidata/ISBN). Harden OAuth/session controls and isolate synchronization components. Given the multi-container architecture with CouchDB and Elasticsearch, security considerations span multiple services.
¶ 1) Network and Access Controls
- Reverse Proxy: Always use a reverse proxy (nginx/Apache) with TLS termination
- Firewall: Restrict access to internal services (CouchDB on port 5984, Elasticsearch on 9200) to only the application container
- Port Exposure: Only expose the main application port (typically 3000) through the reverse proxy
- Rate Limiting: Implement rate limiting at the reverse proxy level to prevent abuse
¶ 2) Identity and User Data Controls
- Registration: Disable open registration (
INV_ACCOUNT_SIGNUP_OPEN=false) when deployment is for private teams
- Authentication: Enforce strong password policies and session expiration settings
- Admin Access: Restrict admin-level operations to trusted operators only
- Token Management: Review and revoke stale API/session tokens regularly
- Session Security: Use strong session secrets (
INV_SESSION_SECRET) and enforce HTTPS
- Authentication: Use strong passwords for CouchDB and Elasticsearch
- Network Isolation: Keep databases on internal Docker networks, not exposed externally
- Access Control: Configure CouchDB users and permissions appropriately
- Encryption: Enable encryption for sensitive data at rest when possible
- Input Validation: Treat imported bibliographic metadata as untrusted input
- Endpoint Restrictions: Restrict outbound endpoints to approved metadata/data providers (Wikidata, ISBN services)
- Rate Limits: Apply rate limits and timeouts on external fetch operations
- Service Isolation: Keep parsing services isolated from core app privileges
- Non-root User: Run containers as non-root users where possible
- Resource Limits: Set appropriate CPU and memory limits to prevent resource exhaustion
- Image Updates: Regularly update base images and application images
- Minimal Images: Use minimal base images to reduce attack surface
¶ 6) Protection of Storage and Operations
- Backup Encryption: Encrypt backups containing user inventories and profile metadata
- Dependency Updates: Patch Node.js runtime and dependencies frequently
- Audit Logging: Enable and monitor audit logs for admin actions and import/export operations
- File Uploads: Validate and sanitize uploaded files, limit file sizes and types
¶ 7) Monitoring and Incident Response
- Log Monitoring: Monitor application, database, and system logs for suspicious activities
- Security Scanning: Regularly scan images and dependencies for vulnerabilities
- Backup Testing: Regularly test backup and restore procedures to ensure data integrity
- Incident Response: Have a plan for responding to security incidents
- Inventaire website: https://inventaire.io
- Inventaire self-hosting docs: https://wiki.inventaire.io/wiki/Self-hosting
- Inventaire source repository: https://codeberg.org/inventaire/inventaire (primary development)
- GitHub mirror: https://github.com/inventaire/inventaire (read-only)
Any questions?
Feel free to contact us. Find all contact information on our contact page.