Open QuarterMaster is typically deployed as an internal inventory service. Harden deployment as an internal-only application and treat upstream maintenance cadence as a risk factor. The system uses a modular architecture with separate security considerations for the Core API and Base Station components.
¶ 1) Network Security and Access Control
- Internal Deployment: Keep service private behind VPN or internal reverse proxy
- Firewall Rules: Restrict access to only necessary ports (typically 80/443 for web interface, 8080 for API)
- Reverse Proxy: Use a reverse proxy (nginx, Apache, Traefik) with proper SSL/TLS termination
- Disable Open Registration: Ensure user registration is restricted to administrators only
- IP Whitelisting: Limit access to known IP addresses when possible
¶ 2) Authentication and Authorization
- Strong Passwords: Enforce strong password policies for all user accounts
- Role-Based Access: Assign admin rights sparingly using role-based access controls
- Session Management: Configure appropriate session timeouts and secure cookie settings
- Multi-Factor Authentication: Enable MFA if available in your version
- Account Lockout: Implement account lockout policies to prevent brute force attacks
- Encryption at Rest: Encrypt database and file storage for sensitive inventory data
- Transport Encryption: Enable TLS on all client-facing endpoints (minimum TLS 1.2)
- Database Security: Secure database connections with strong passwords and SSL
- Backup Encryption: Encrypt backup sets and validate restore integrity regularly
- Audit Logging: Log all administrative changes, imports, and destructive inventory actions
- Non-root User: Run containers as non-root user when possible
- Resource Limits: Set appropriate resource limits to prevent DoS attacks
- Image Verification: Use official images from trusted sources and verify signatures
- Volume Permissions: Restrict file and database permissions to least-privilege runtime user
- Network Isolation: Use dedicated Docker networks for service isolation
- Dependency Updates: Regularly update Java runtime and application dependencies
- Security Headers: Configure security headers (CSP, HSTS, X-Frame-Options) via reverse proxy
- Input Validation: Ensure proper input validation to prevent injection attacks
- File Upload Security: Validate and scan uploaded files for malicious content
- Plugin Security: Only install trusted plugins and keep them updated
¶ 6) Maintenance and Monitoring
- Track Upstream Activity: Monitor project releases and security advisories regularly
- Version Pinning: Pin to specific versions and test updates in staging before production
- Patch Management: Establish a regular patching schedule for the application and underlying OS
- Security Scanning: Perform regular vulnerability scans of the deployment
- Incident Response: Maintain an incident response plan for security events
- Separate Environments: Keep test and production datasets separate
- Least Privilege: Run the application with minimum required system privileges
- File Permissions: Restrict access to configuration files containing sensitive data
- Log Management: Secure and monitor application logs for suspicious activities
- Regular Audits: Conduct periodic security audits of configurations and access rights
- Open QuarterMaster website: https://openquartermaster.com
- Open QuarterMaster source repository: https://github.com/Epic-Breakfast-Productions/OpenQuarterMaster
- OWASP Top 10 for securing web applications
- NIST Cybersecurity Framework guidelines
Any questions?
Feel free to contact us. Find all contact information on our contact page.