Security Best Practices
Auth security, network isolation, data protection, monitoring, and compliance for NFYio deployments.
This guide covers security best practices for NFYio deployments. Follow these recommendations to protect your infrastructure, data, and users.
Authentication Security
Multi-Factor Authentication (MFA)
Enable MFA for all admin and privileged accounts. NFYio integrates with Keycloak for identity management.
# Keycloak MFA configuration (via Admin Console)
# Realm Settings → Security Defenses → OTP Policy
# Set: OTP Type = TOTP, Algorithm = SHA1, Digits = 6, Period = 30| Setting | Recommended Value |
|---|---|
| OTP Type | TOTP (Time-based) |
| Algorithm | SHA1 |
| Digits | 6 |
| Period | 30 seconds |
API Key Management
API keys provide programmatic access. Treat them like passwords.
| Practice | Recommendation |
|---|---|
| Rotation | Rotate API keys every 90 days |
| Scopes | Grant minimum required scopes (e.g., read:objects only if read-only) |
| Storage | Never commit keys to source control; use secrets managers |
| Revocation | Revoke compromised keys immediately via Access Keys |
# Create API key with limited scope
curl -X POST https://api.yourdomain.com/v1/access-keys \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "ci-cd-pipeline",
"scopes": ["read:objects", "write:objects"],
"expires_at": "2026-06-01T00:00:00Z"
}'JWT Configuration
Configure short-lived tokens to limit exposure:
| Setting | Recommended | Description |
|---|---|---|
| Access token expiry | 15 minutes | Short window reduces risk if token is stolen |
| Refresh token expiry | 7 days | Allows session continuity without long-lived access |
| Token rotation | Enabled | Issue new refresh token on each use |
Network Security
VPC Isolation
Deploy NFYio components inside a VPC. Isolate tiers (web, app, data) in separate subnets.
┌─────────────────────────────────────────────────────────┐
│ VPC (10.0.0.0/16) │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Public │ │ Private │ │ Data │ │
│ │ Subnet │ │ Subnet │ │ Subnet │ │
│ │ (LB, GW) │ │ (Agents) │ │ (DB, Redis) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────┘Security Groups
Apply least-privilege rules. See Security Groups for details.
| Tier | Inbound | Outbound |
|---|---|---|
| API Gateway | 443 from LB only | DB, Redis, Storage |
| Storage Proxy | 7007 from Gateway | SeaweedFS only |
| Database | 5432 from App tier only | None |
Network ACLs
Use Network ACLs for subnet-level stateless filtering. Default deny-all, then allow only required traffic.
Default Deny-All
Start with deny-all rules. Explicitly allow only required ports and sources:
{
"default_action": "deny",
"rules": [
{ "action": "allow", "protocol": "tcp", "port": "443", "cidr": "0.0.0.0/0" },
{ "action": "allow", "protocol": "tcp", "port": "22", "cidr": "10.0.0.0/8" }
]
}Data Security
Encryption at Rest
NFYio uses AES-256 encryption for object storage. Ensure your SeaweedFS volume encryption is enabled:
# docker-compose override for encrypted volumes
seaweedfs-volume:
environment:
- WEED_VOLUME_ENCRYPTION=true| Data Type | Encryption |
|---|---|
| Object storage | AES-256 (SeaweedFS) |
| Database | PostgreSQL TDE or disk encryption |
| Redis | Encrypt sensitive data before storage |
Encryption in Transit (TLS 1.3)
Use TLS 1.3 for all external and internal traffic:
# Nginx TLS configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;Row-Level Security (RLS)
For multi-tenant deployments, use RLS to ensure users access only their data:
-- Example: Users see only their buckets
CREATE POLICY bucket_owner_policy ON buckets
FOR ALL
USING (owner_id = auth.uid());Role-Based Access Control (RBAC)
Define roles and assign minimal permissions:
| Role | Permissions |
|---|---|
viewer | read:, list: |
editor | read:, write:, list:* |
admin | Full access within org |
Monitoring & Auditing
Audit Logs
Enable audit logging for sensitive operations:
| Event | Log Level |
|---|---|
| Login/logout | INFO |
| API key creation/revocation | WARN |
| Bucket/object delete | WARN |
| Permission changes | WARN |
# Query audit logs (example)
docker compose logs nfyio-gateway --since 24h | grep -E "AUDIT|auth|delete"Log Retention
| Log Type | Retention | Storage |
|---|---|---|
| Application logs | 30 days | Rotate daily |
| Audit logs | 1 year | Immutable, append-only |
| Access logs | 90 days | For compliance |
Intrusion Detection
- Monitor failed login attempts; lock after 5 failures
- Alert on unusual API patterns (e.g., bulk export)
- Use Private Endpoints for sensitive workloads
Compliance
GDPR
- Data minimization: Collect only necessary data
- Right to erasure: Implement delete APIs that purge user data
- Data portability: Support export in standard formats
- DPA: Sign Data Processing Agreements with sub-processors
SOC 2
- Document access controls and change management
- Maintain audit trails for 1+ year
- Regular vulnerability scans and penetration tests
- Incident response plan
HIPAA
- BAA with NFYio/hosting provider if handling PHI
- Encryption at rest and in transit (required)
- Access logging and audit controls
- Dedicated infrastructure for PHI workloads
Security Checklist
- MFA enabled for admin accounts
- API keys rotated every 90 days
- JWT expiry set to 15 minutes
- VPC and security groups configured
- Default deny-all network ACLs
- TLS 1.3 for all traffic
- Audit logging enabled
- Log retention policy defined
- Compliance requirements documented
Next Steps
- Access Keys — API key management
- Security Groups — Firewall rules
- Network ACLs — Subnet filtering
- API Authentication — Auth flows