Security deployment hardening

This guide describes how to harden your Rediflow deployment for QA or production.

Checklist

• [ ] Use HTTPS (reverse proxy or TLS termination)
• [ ] Set strong SECRET_KEY
• [ ] Set strong POSTGRES_PASSWORD
• [ ] Configure OIDC when multi-user; avoid POLICY_NO_AUTH_DEFAULT=allow_all.
• [ ] Never commit .env files with secrets
• [ ] Enable PROJECT_VISIBILITY_ENABLED when restricting by org or assignment

HTTPS and TLS

Rediflow does not terminate TLS. Use a reverse proxy (nginx, Caddy, Traefik) or your platform's TLS termination in front of the app.

When the app is behind HTTPS:

• SESSION_COOKIE_SECURE is automatic when APP_ENV is qa or prod
• HSTS is sent when the request is secure (e.g. Strict-Transport-Security: max-age=31536000; includeSubDomains)

Secrets

SECRET_KEY

Required for session signing. Use a strong, random value. Never commit it.

Generate:

openssl rand -base64 60

Set in .env.prod or .env.qa:

SECRET_KEY=<paste-generated-value>

POSTGRES_PASSWORD

Use a strong password for the database. Generate with openssl rand -base64 60 or equivalent.

OIDC

When using Authentik:

• OIDC_CLIENT_SECRET — from Authentik provider; keep confidential
• AUTHENTIK_SECRET_KEY — for Authentik; generate with openssl rand -base64 60

See Authentik setup for full OIDC configuration.

Environment files

• .env.dev, .env.qa, .env.prod, .env.test are gitignored
• Copy from .env.qa.example or .env.prod.example; never commit the real files
• Use a deployment directory or env management (e.g. systemd EnvironmentFile, Kubernetes secrets)

Authentication

When OIDC_ISSUER and OIDC_CLIENT_ID are set, the app requires login for all non-public paths. Public paths: /login, /oauth/callback, /logout, /set-locale, /static/*, /s/* (share links).

When OIDC is not configured:

• POLICY_NO_AUTH_DEFAULT=allow_all — anyone with network access can act as admin; use only for dev or demo
• POLICY_NO_AUTH_DEFAULT=view_only — read-only access without login

For production with multiple users, always configure OIDC.

Project visibility

When PROJECT_VISIBILITY_ENABLED=true, projects and people are filtered by Authentik groups:

• Org scope: rediflow-visibility-org and rediflow-org-<org>
• Assignment scope: rediflow-visibility-assigned

See Organisation visibility for details.

Row Level Security

Optional RLS on user_settings and shared_views requires a two-role setup (owner for migrations, app role for runtime). See Authentik setup and the RLS plan in docs/plans/.

Container

The Rediflow image runs as a non-root user. Do not run the container as root.

Database

• Use PostgreSQL 18+ (containerised Podman or Docker)
• SQLite is not supported
• Backup regularly; see Database backup

Related

• Configuration — Environment variables and load order
• Authentik setup — OIDC and groups
• Deploy QA and production — Full deployment guide
• Security — Threat model and security posture