SupascaleSupascale
Sign Up

Security Settings

Secure your Supascale installation with best practices.

Supascale includes multiple security features to protect your installation. This guide covers security configuration and best practices.

Authentication Security

Password Requirements

Supascale enforces strong password policies:

  • Minimum 12 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

Session Management

Sessions are secured with:

  • JWT tokens signed with NEXTAUTH_SECRET
  • HTTP-only cookies (not accessible via JavaScript)
  • Secure flag (HTTPS only in production)
  • SameSite protection against CSRF

Failed Login Protection

To prevent brute force attacks:

  • Rate limiting on login attempts
  • Account lockout after repeated failures
  • Login attempt logging

Database Encryption

Credential Storage

Sensitive data is encrypted before storage:

# Generate a secure encryption key
DB_ENCRYPTION_KEY=$(openssl rand -hex 32)

Encrypted data includes:

  • Database passwords
  • API keys and secrets
  • Cloud storage credentials
  • OAuth client secrets

Key Management

Best practices for encryption keys:

  1. Generate strong keys: Use openssl rand -hex 32
  2. Never share keys: Keep separate from backups
  3. Rotate periodically: Generate new key and re-encrypt data
  4. Secure storage: Use environment variables, not files

API Security

API Key Authentication

Generate API keys with granular permissions:

Header: X-API-Key: sk_live_xxxxxxxxxxxxxxxxxxxx

Permissions Model

Each API key has permissions per resource:

PermissionAccess
noneNo access
readGET operations only
writeAll operations

Resources:

  • projects - Project management
  • backups - Backup operations
  • tasks - Scheduled tasks
  • cloudStorage - Storage providers
  • system - System operations

API Key Best Practices

  1. Minimum permissions: Grant only required access
  2. Expiration dates: Set keys to expire
  3. Unique keys: One key per integration
  4. Monitor usage: Review activity logs
  5. Rotate regularly: Replace keys periodically

Network Security

Firewall Configuration

Configure UFW for Supascale:

# Allow SSH
sudo ufw allow 22/tcp

# Allow HTTP (for Let's Encrypt)
sudo ufw allow 80/tcp

# Allow HTTPS
sudo ufw allow 443/tcp

# Enable firewall
sudo ufw enable

Port Exposure

Only expose necessary ports:

PortExpose Publicly?
80Yes (redirect to HTTPS)
443Yes (main access)
3000No (internal only)
5432+No (project databases)

IP Whitelisting

For additional security, restrict access by IP:

# Nginx example
location / {
    allow 10.0.0.0/8;      # Internal network
    allow 203.0.113.50;    # Specific IP
    deny all;

    proxy_pass http://127.0.0.1:3000;
}

Security Headers

Configure in Nginx

# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Header Explanations

HeaderPurpose
X-Frame-OptionsPrevents clickjacking
X-Content-Type-OptionsPrevents MIME sniffing
X-XSS-ProtectionXSS filter (legacy browsers)
Referrer-PolicyControls referrer information
Content-Security-PolicyControls resource loading
Strict-Transport-SecurityForces HTTPS

File Permissions

Installation Directory

# Set ownership
sudo chown -R supascale:supascale /opt/supascale-web

# Set directory permissions
sudo find /opt/supascale-web -type d -exec chmod 755 {} \;

# Set file permissions
sudo find /opt/supascale-web -type f -exec chmod 644 {} \;

# Protect sensitive files
sudo chmod 600 /opt/supascale-web/.env.local
sudo chmod 600 /opt/supascale-web/data/supascale.db

Project Directories

# Set ownership
sudo chown -R supascale:docker /var/supascale/projects

# Set permissions
sudo chmod 750 /var/supascale/projects

Backup Security

Encrypted Backups

Enable encryption for sensitive backups:

  1. Go to Backups > Create Backup
  2. Enable Encrypt backup
  3. Store encryption password securely

Secure Backup Storage

  • Use cloud storage with encryption at rest
  • Enable versioning for recovery
  • Restrict access with IAM policies
  • Store encryption keys separately

Monitoring and Auditing

Activity Logging

Supascale logs all significant actions:

  • User logins and logouts
  • Project operations
  • Backup and restore operations
  • Configuration changes
  • API key usage

Review Logs

Access logs at Settings > Activity History or via API:

curl -H "X-API-Key: your-key" \
  https://supascale.example.com/api/v1/settings/activity-history

Alerts

Configure email notifications for:

  • Failed login attempts
  • Security-related changes
  • System errors

Security Checklist

  • [ ] Strong NEXTAUTH_SECRET generated
  • [ ] Strong DB_ENCRYPTION_KEY generated
  • [ ] SSL/TLS configured with valid certificate
  • [ ] Firewall configured (UFW or equivalent)
  • [ ] Security headers configured
  • [ ] File permissions set correctly
  • [ ] API keys have minimum required permissions
  • [ ] Activity logging enabled
  • [ ] Regular backups configured
  • [ ] Updates applied regularly