https://sourceforge.net/p/cordum/wiki/Security/Recent changes to SecurityenFri, 30 Jan 2026 13:21:10 -0000https://sourceforge.net/p/cordum/wiki/Security/<div class="markdown_content"><pre>--- v2 +++ v3 @@ -8,6 +8,7 @@ - **API key required**: every request must include `X-API-Key` and `X-Tenant-ID`. - **Tenant enforcement**: empty tenant IDs are rejected. - **Fail-closed auth**: missing or invalid keys return 401. +- **No insecure auth bypass**: `CORDUM_ALLOW_INSECURE_NO_AUTH=1` is dev-only and blocked in production. ## Production mode @@ -44,4 +45,6 @@ ## Client-side security The dashboard does not persist API keys in localStorage. Avoid embedding keys in -`config.json` unless the UI is restricted to trusted operators. +`config.json` unless the UI is restricted to trusted operators. If you do +embed them, use `CORDUM_DASHBOARD_EMBED_API_KEY=1` and disable it in shared +environments. </pre> </div>yaron TorgemanFri, 30 Jan 2026 13:21:10 -0000https://sourceforge.net6d017321d12ee94e12e0a05fa3a3d28be9442b2chttps://sourceforge.net/p/cordum/wiki/Security/<div class="markdown_content"><pre></pre> </div>yaron TorgemanFri, 30 Jan 2026 13:21:09 -0000https://sourceforge.net441ed4c80e73d05964a8fe191a2c8f55435ce3cbhttps://sourceforge.net/p/cordum/wiki/Security/<div class="markdown_content"><h1 id="h-security">Security</h1> <p>Cordum is designed for secure-by-default deployments. Use this checklist before<br/> production.</p> <h2 id="h-baseline-requirements">Baseline requirements</h2> <ul> <li><strong>API key required</strong>: every request must include <code>X-API-Key</code> and <code>X-Tenant-ID</code>.</li> <li><strong>Tenant enforcement</strong>: empty tenant IDs are rejected.</li> <li><strong>Fail-closed auth</strong>: missing or invalid keys return 401.</li> </ul> <h2 id="h-production-mode">Production mode</h2> <p>Set <code>CORDUM_ENV=production</code> (or <code>CORDUM_PRODUCTION=true</code>) to enable strict<br/> security checks. Production mode requires:</p> <ul> <li>TLS for HTTP and gRPC.</li> <li>TLS for Redis and NATS clients.</li> <li>A configured policy verification key.</li> </ul> <h2 id="h-policy-signature-verification">Policy signature verification</h2> <p>Signed policies prevent tampering. Configure:</p> <ul> <li><code>SAFETY_POLICY_PUBLIC_KEY</code> (base64 encoded)</li> <li><code>SAFETY_POLICY_SIGNATURE</code> or <code>SAFETY_POLICY_SIGNATURE_PATH</code></li> </ul> <p>If production mode is enabled and no public key is configured, the Safety Kernel<br/> fails to start.</p> <h2 id="h-metrics-exposure">Metrics exposure</h2> <p>Metrics endpoints bind to loopback in production by default. To expose them:</p> <ul> <li><code>GATEWAY_METRICS_PUBLIC=1</code></li> <li><code>SCHEDULER_METRICS_PUBLIC=1</code></li> </ul> <h2 id="h-key-management">Key management</h2> <ul> <li>Rotate API keys regularly.</li> <li>Store secrets in a KMS or secret manager.</li> <li>Use <code>CORDUM_API_KEYS_PATH</code> for hot-reload without restarts.</li> </ul> <h2 id="h-client-side-security">Client-side security</h2> <p>The dashboard does not persist API keys in localStorage. Avoid embedding keys in<br/> <code>config.json</code> unless the UI is restricted to trusted operators.</p></div>yaron TorgemanFri, 30 Jan 2026 13:21:08 -0000https://sourceforge.net1bcea228f06014a0482a55b7668de48ba15e977e