# Security Hardening

## Pre-Deployment Checklist

### Network Security

- [ ] Firewall rules configured
- [ ] Unnecessary ports closed
- [ ] Internal services not exposed
- [ ] SSL/TLS certificates installed
- [ ] HTTP redirected to HTTPS

### Application Security

- [ ] Debug mode disabled
- [ ] Error messages sanitized
- [ ] Rate limiting enabled
- [ ] CORS properly configured
- [ ] Security headers set

### Database Security

- [ ] Default passwords changed
- [ ] Network access restricted
- [ ] SSL connections enforced
- [ ] Audit logging enabled
- [ ] Backups encrypted

### Authentication

- [ ] JWT secret rotated
- [ ] Password policy enforced
- [ ] Session timeout configured
- [ ] Failed login lockout enabled
- [ ] MFA available for admins

## Security Headers

```nginx
# Required headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000";
add_header Content-Security-Policy "default-src 'self'";
```

## Vulnerability Management

### Dependency Scanning

```bash
# Run weekly
npm audit
docker scan license-api:latest
```

### Security Updates

- OS patches: Monthly
- Framework updates: Quarterly
- Critical CVEs: Within 48 hours

## Incident Response

1. **Detect**: Monitoring alerts, user reports
2. **Contain**: Isolate affected systems
3. **Investigate**: Identify scope and cause
4. **Remediate**: Fix vulnerability
5. **Recover**: Restore normal operations
6. **Document**: Post-incident report

## Access Reviews

| Review Type | Frequency |
|-------------|-----------|
| User access | Quarterly |
| Admin access | Monthly |
| API keys | Quarterly |
| Service accounts | Quarterly |