SEQN Auth Hardening Guide

This guide covers pre-launch and recurring security hardening for the SEQN Auth MVP. Email delivery and payment collection are intentionally out of scope.

Edge and transport

  • Serve accounts.seqn.in and auth.seqn.in over HTTPS only.
  • Keep HSTS enabled with includeSubDomains once both domains are stable.
  • Keep X-Content-Type-Options: nosniff and Referrer-Policy: strict-origin-when-cross-origin.
  • Expose Silver Auth API only through Caddy or the approved reverse proxy.
  • Keep direct API ports bound to localhost or internal Docker networks.

Authentik

  • Require MFA for platform admins.
  • Keep platform admin access gated through SEQN-A.
  • Use least-privilege Authentik API tokens for provisioning.
  • Rotate Authentik API tokens on exposure or regular cadence.
  • Keep Authentik provider/client secrets out of browser-visible config.

Sessions and cookies

  • Keep SESSION_COOKIE_SECURE=true in production.
  • Keep SESSION_COOKIE_SAMESITE=Lax unless a specific cross-site flow requires a reviewed change.
  • Use at least 32 random characters for SESSION_SECRET.
  • Treat session-secret rotation as a forced sign-out event.
  • Prefer short operational shells over copying cookies or tokens.

Project and webhook secrets

  • Display sk_live_ and whsec_ values only once.
  • Store only hashes or sealed secrets server-side.
  • Never return project secret keys, webhook secrets, Authentik API tokens, or OIDC client secrets from public APIs.
  • Rotate secrets after exposure, employee access changes, or environment moves.

Database and backups

  • Keep Postgres ports private to Docker networks.
  • Use strong, unique AUTHENTIK_PG_PASS and SILVER_POSTGRES_PASSWORD values.
  • Run local backups and encrypted offsite backups.
  • Keep env.backup permission-restricted.
  • Verify restore with drills, not only backup creation.

Admin and support

  • Require admin role for org mutations.
  • Require SEQN-A only for platform Authentik proxy operations.
  • Use audit logs for project, user, role, subscription, webhook, and secret-rotation actions.
  • Avoid raw secrets in support tools, screenshots, and alert payloads.
  • Revoke sessions for lost devices, offboarding, or suspicious access.

Webhook safety

  • Require HTTPS endpoint URLs for production receivers.
  • Sign all webhook payloads.
  • Ask receivers to verify timestamp and HMAC.
  • Use idempotency on receivers because retries can happen.
  • Monitor delivery failure trends and retry backlog.

Rate limits and abuse

  • Keep the app limiter enabled.
  • Use edge/proxy rules for route-specific limits.
  • Alert on sustained 429, not isolated bursts.
  • Rotate exposed secrets when abuse follows a single key prefix.
  • Block hostile sources at the edge before changing global app limits.

Launch checklist

  • Public health, config, client-config, backend-key, and console-boundary checks are monitored.
  • Non-email alerts are routed to an attended channel.
  • Local backup and offsite encrypted backup schedules are active.
  • A restore drill has been completed.
  • Admin MFA is enabled.
  • SEQN-A membership is limited to platform admins.
  • Public package names are Free, Pro, and Scale.
  • Email and payment flows are still documented as excluded from the MVP.