Skip to main content

Security Hardening

Hardening checklist and guidance for production CoreCube deployments.

TLS / HTTPS

Required for production. CoreCube's security headers (HSTS, secure cookies) are only active over HTTPS.

  • Deploy a reverse proxy (nginx, Caddy, Traefik) in front of CoreCube for TLS termination
  • Use a valid certificate (Let's Encrypt via Caddy is the simplest option)
  • Minimum TLS 1.2; prefer TLS 1.3
  • Caddy automatically manages TLS — see Reverse Proxy

Admin Console access restriction

Restrict admin console access to specific IP ranges at the reverse proxy level:

location /admin {
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    proxy_pass http://localhost:7400;
}

The /v1 API and /mcp endpoints should remain accessible — they authenticate via API keys.

Encryption key management

The encryption key protects all connector credentials, webhook secrets, and LLM API keys at rest.

Best practices:

  • Use ENCRYPTION_KEY_FILE with Docker secrets or Kubernetes secrets — never hardcode the key in compose files
  • Back up the key separately from the data volume. Key loss makes all credentials permanently unreadable
  • Set file permissions to 0600 (CoreCube verifies this on startup and warns if too permissive)
  • Rotate the key periodically: docker exec corecube corecube rotate-key (stop the server first)
# Recommended: Docker secrets
environment:
  ENCRYPTION_KEY_FILE: /run/secrets/encryption_key
secrets:
  encryption_key:
    external: true

Docker security

The CoreCube Docker image is hardened by default:

ControlSetting
UserNon-root (node user, UID 1000)
FilesystemRead-only (read_only: true)
Capabilitiescap_drop: ALL
Signal handlingtini as init process
Data directoryExplicit writable volume for DATA_DIR

Add these to your Docker Compose service:

services:
  corecube:
    read_only: true
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /tmp
    volumes:
      - corecube-data:/data

PostgreSQL security

  • Enforce SSL: add ?sslmode=require to your PGVECTOR_URL
  • Use a dedicated database user with minimal privileges (not postgres superuser)
  • CoreCube's application user only needs: CONNECT, CREATE TABLE, SELECT, INSERT, UPDATE, DELETE on the CoreCube database
  • Migrations use a separate superuser connection — this separation ensures the application role cannot alter RLS policies
postgresql://corecube:password@pgvector:5432/corecube?sslmode=require

Network isolation

Keep PostgreSQL and CoreCube Inference on an internal Docker network — not exposed to the host:

networks:
  internal:
    internal: true

services:
  corecube:
    networks: [internal, default]
    ports:
      - '7400:7400' # Only CoreCube exposed

  pgvector:
    networks: [internal]
    # No ports exposed

Default credential change

:::danger Change immediately The default credentials (admin@example.com / changeme123) must be changed immediately after first login. :::

  1. Log in to the Admin Console
  2. Click your profile icon → Profile
  3. Update your email and password
  4. Navigate to Settings and update any remaining defaults

Password policy

CoreCube enforces:

  • Minimum 12 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one digit
  • At least one special character

API key hygiene

  • Create separate API keys per client application — do not share keys
  • Set an expiration date on keys that are used temporarily
  • Revoke keys immediately when a client is decommissioned
  • Use service keys for shared frontends (OpenWebUI) so per-user permissions apply
  • Review key usage in Admin Console → API Keys → Usage

Session management

Default session lifetime is 7 days with sliding expiry. For higher security environments:

SESSION_MAX_AGE_HOURS=8

Sessions are automatically invalidated when a user's password or role changes. Admins can revoke specific sessions in Admin Console → Users → Sessions.

Webhook secrets

Every webhook-enabled connection must have a webhook_secret configured. Connections without a secret cannot receive webhook triggers.

CoreCube validates HMAC-SHA256 signatures on all incoming webhooks and rejects payloads older than 5 minutes. Rejected webhooks are logged with IP, timestamp, and rejection reason.

Audit log retention

Configure audit log retention in Admin Console → Settings → Audit:

  • Default: 90 days
  • Shorter retention reduces storage but limits forensic analysis
  • Query text storage verbosity: full, truncated, or disabled (for privacy-sensitive environments)

Dependency updates

  • All dependencies are pinned to exact versions in the lockfile
  • Monitor the CoreCube GitHub releases for security updates
  • Apply updates promptly: docker compose pull && docker compose up -d

What v1 does not include

These controls are planned for future releases or EE:

ControlStatus
Backup encryption (AES-256-GCM)Planned (Phase 6)
IP allowlists for admin/APIPlanned
Multi-factor authenticationPlanned (EE)
HSM key storagePlanned (EE)
Cryptographic audit log chainingPlanned (EE)

Until backup encryption is available, store pg_dump backups on encrypted media.

We use cookies for analytics to improve our website. More information in our Privacy Policy.