Skip to content

Harden Security Posture

Use this checklist before exposing Caracal to production workloads or protected upstreams.

CheckExpected
ModeCARACAL_MODE=stable or rc; never rely on dev defaults for production.
PortsPublic ingress exposes only required API/Gateway endpoints; storage remains private.
NetworkNetworkPolicy or equivalent restricts ingress and egress.
ContainersNon-root, dropped capabilities, no-new-privileges, read-only root filesystem where supported.
CheckExpected
Secret deliveryMounted secret files or platform secret manager, not inline production secrets.
HMAC keysAUDIT_HMAC_KEY, STREAMS_HMAC_KEY, and GATEWAY_STS_HMAC_KEY are strong and rotated under control.
Zone KEKZONE_KEK is protected and backed up with the database.
Admin/Coordinator tokensStored privately, rotated, and scoped to operator need.
Runtime profilescaracal.toml and secret files are owner-only when written locally.
CheckExpected
STSFails closed on invalid client credentials, policy denial, revoked sessions, replay, invalid delegation, and unsatisfied step-up.
GatewayRequires bearer token and X-Caracal-Resource, validates binding, rejects path traversal and unsafe upstreams.
ControlDisabled unless explicitly needed; invoke endpoint requires gate, JWT, replay protection, rate limit, and audit.
Resource serversVerify mandate signature, issuer, audience, scopes, token use, agent/delegation requirements, hop limits, and revocation.
CheckExpected
Audit streamcaracal.audit.events and DLQ are monitored.
Tamper checksAudit tamper alerts page the security/on-call path.
BackupsPostgres, runtime secrets, and audit exports are restorable.
ReplaySTS/Gateway audit replay volumes are preserved through rollouts.

Use Report a Vulnerability if hardening review uncovers a suspected vulnerability.