Bientôt disponibleDéploiement en 1 clic sur Vultr MarketplaceM'avertir →

FR

Sign in Start free

Loading...

Security Checklist · CarphaCom Docs | CarphaCom

Security Checklist

Run through this list before exposing your shop publicly, and review every quarter.

Network

[ ] Firewall: only :80, :443, :22 inbound. Block all others (ufw default deny).
[ ] SSH on port :22 restricted to your IP, or moved to a non-standard port.
[ ] PostgreSQL bound to localhost only (listen_addresses = 'localhost' in postgresql.conf).
[ ] Redis bound to localhost only and password-protected (requirepass).
[ ] No public access to :9000, :3001, :8000 — verify with nmap from outside.

TLS

[ ] Valid certificate from Let's Encrypt or your CA on port :443.
[ ] HTTP traffic redirects to HTTPS (return 301 https://... in nginx).
[ ] HSTS header set (Strict-Transport-Security: max-age=31536000; includeSubDomains).
[ ] TLS 1.2+ only — disable 1.0/1.1 in nginx ssl_protocols.
[ ] Cert auto-renewal cron in place (certbot renew --quiet).

SSH

[ ] Password login disabled (PasswordAuthentication no).
[ ] Root login disabled (PermitRootLogin no) — use sudo from a normal user.
[ ] Public-key auth only.
[ ] fail2ban installed and active.

Secrets

[ ] All .env.local files have mode 600, owned by the service user.
[ ] JWT_SECRET, COOKIE_SECRET, REVALIDATE_SECRET are 64-char random.
[ ] DB password is 32+ characters, unique per instance.
[ ] No secrets in git, in shell history, or in screenshots/issues.
[ ] Stripe live keys live only on the production box. Test/sandbox keys for staging.
[ ] License keys for installed plugins are encrypted in the DB (CarphaCom does this by default).

Application

[ ] Admin user uses a 16+ character password from a generator.
[ ] 2FA enabled on the admin panel (Settings → Security → 2FA).
[ ] Inactive admin sessions time out after 30 days.
[ ] Custom admin_users rows have only the permissions each user needs (least privilege).
[ ] Webhook signing secrets are rotated every 12 months.

Updates

[ ] OS auto-updates security patches enabled (unattended-upgrades).
[ ] CarphaCom platform auto-update for patch versions enabled.
[ ] All plugins updated within 7 days of a release (subscribe to vendor changelogs).
[ ] Quarterly review of installed plugins — uninstall anything unused.

Monitoring

[ ] Daily backup runs and reports success (alert on failure).
[ ] Disk usage alert at 80% of free space.
[ ] PM2 process restart alerts (pm2 install pm2-logrotate + your monitoring).
[ ] Failed login attempt rate alert (block at 10 in 5 min from same IP).
[ ] Uptime monitor against https://shop.example.com/health from outside.

Compliance (EU)

[ ] Cookie consent banner active (install Cookie Consent plugin).
[ ] Privacy policy + terms of service pages published.
[ ] GDPR data export and deletion endpoints tested (Customers → [customer] → Export / Erase).
[ ] If you process card data, your Stripe Elements integration keeps you in PCI-DSS SAQ-A scope (no card data ever touches your server).

Print this checklist, sign it, file it. Do it again every quarter.