---
title: "Harden Security Posture"
url: "https://docs.caracal.run/security/hardening/"
markdown_url: "https://docs.caracal.run/markdown/security/hardening.md"
description: "Security hardening guidance for production Caracal deployments."
page_type: "reference"
concepts: []
requires: []
---

# Harden Security Posture

Canonical URL: https://docs.caracal.run/security/hardening/
Markdown URL: https://docs.caracal.run/markdown/security/hardening.md
Description: Security hardening guidance for production Caracal deployments.
Page type: reference
Concepts: none
Requires: none

---

Use this checklist before exposing Caracal to production workloads or protected upstreams.

## Deployment Mode

| Check | Expected |
| --- | --- |
| Mode | `CARACAL_MODE=stable` or `rc`; never rely on `dev` defaults for production. |
| Ports | Public ingress exposes only required API/Gateway endpoints; storage remains private. |
| Network | NetworkPolicy or equivalent restricts ingress and egress. |
| Containers | Non-root, dropped capabilities, no-new-privileges, read-only root filesystem where supported. |

## Secrets and Keys

| Check | Expected |
| --- | --- |
| Secret delivery | Mounted secret files or platform secret manager, not inline production secrets. |
| HMAC keys | `AUDIT_HMAC_KEY`, `STREAMS_HMAC_KEY`, and `GATEWAY_STS_HMAC_KEY` are strong and rotated under control. |
| Zone KEK | `ZONE_KEK` is protected and backed up with the database. |
| Admin/Coordinator tokens | Stored privately, rotated, and scoped to operator need. |
| Runtime profiles | `caracal.toml` and secret files are owner-only when written locally. |

## Access Enforcement

| Check | Expected |
| --- | --- |
| STS | Fails closed on invalid client credentials, policy denial, revoked sessions, replay, invalid delegation, and unsatisfied step-up. |
| Gateway | Requires bearer token and `X-Caracal-Resource`, validates binding, rejects path traversal and unsafe upstreams. |
| Control | Disabled unless explicitly needed; invoke endpoint requires gate, JWT, replay protection, rate limit, and audit. |
| Resource servers | Verify mandate signature, issuer, audience, scopes, token use, agent/delegation requirements, hop limits, and revocation. |

## Audit and Recovery

| Check | Expected |
| --- | --- |
| Audit stream | `caracal.audit.events` and DLQ are monitored. |
| Tamper checks | Audit tamper alerts page the security/on-call path. |
| Backups | Postgres, runtime secrets, and audit exports are restorable. |
| Replay | STS/Gateway audit replay volumes are preserved through rollouts. |

## Next Step

Use [Report a Vulnerability](/security/disclosure/) if hardening review uncovers a suspected vulnerability.

## Related Pages

- [Harden Production](/operations/tls-hardening/)
- [Rotate Keys and Secrets](/operations/key-management/)
- [Back Up and Retain Data](/operations/backup-retention/)
