Skip to content
Katalogue Docs

Security Hardening

The following measures should be taken to make Katalogue as secure as possible in a production scenario. Coincidentially, most of these actions also reduce the management burden for Katalogue admins.

Security Hardening Checklist

Section titled “Security Hardening Checklist”
  1. Set the ENCRYPTION_KEY config variable to a long, cryptographically random string.
  2. Secure database user accounts:
    1. Make sure the katalogue_superuser database user only have the default permissions and a strong password.
    2. Make sure admin database users are few and have strong passwords. Ideally, avoid the default postgres username.
  3. Configure Cookies and CORS properly.
  4. Deploy Katalogue behind a VPN/firewall, never expose it to the internet.
  5. Ensure all communication between services is enforced to HTTPS.
  6. Use externally provisioned users provisioned through user groups, not local users nor individually added external users. This relieves Katalogue from storing user account passwords and automates user role assignments.
    1. Go through the security hardening steps for the app registration in Azure.
    2. Disable local user authentication (Settings -> Authentication and uncheck Enable Local Authentication). This disables the feature to create and use local user accounts in Katalogue.
    3. If local user authentication cannot be disabled, make sure to update the admin user’s default password.
  7. Restrict the user account permissions for accounts used in datasource connections to ingest metadata from source systems to only have read access to the required resources/tables.
  8. Enable password manager integration for datasource connections and store all datasource connection passwords there. This relieves Katalogue from storing user account passwords.
  9. Inject all configuration parameters that are secrets as environment variables/secrets in the startup phase of Docker containers. Do not store secrets in the appsettings.json config file nor inject them as environment variables during the Docker build stage, as this will leave the secrets exposed in the built Docker image.
  10. If the REST API service is enabled, consider using an externally provided signing key for access token signing. This relieves Katalogue from storing the private key.
  11. Limit the number of Katalogue admin users to as few as possible.
  12. Documentation & Processes:
    1. Document your deployment.
    2. Store all passwords in keyvaults or other safe places.
    3. Setup backup & restore processes for the database.
    4. Integrate logging with central logging functions.

If all of the steps above are followed, the only secrets Katalogue need to handle are the following:

  • ENCRYPTION_KEY - The Encryption key used to encrypt JWT cookies for authenticating requests from the frontend service.
  • REPOSITORY_PASSWORD - The repository database user password.
  • OIDC_CLIENT_SECRET - The Microsoft Entra Id app registration’s client secret.