Security Best Practices¶

Essential security guidelines for using USSO in production.

Token Security¶

1. Use HTTPS in Production¶

Always use HTTPS to prevent token interception:

server {
    listen 443 ssl;
    server_name api.yourapp.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
}

2. Store Tokens Securely¶

Access Tokens: - Browser: HTTP-only cookies or memory - Mobile: Secure storage (Keychain/Keystore) - Never in localStorage if XSS risk exists

Refresh Tokens: - Always use HTTP-only cookies - Never expose to JavaScript

3. Short Token Lifetimes¶

ACCESS_TOKEN_EXPIRE = 3600   # 1 hour
REFRESH_TOKEN_EXPIRE = 2592000  # 30 days

Password Security¶

1. Strong Password Policy¶

{
  "password_min_length": 10,
  "password_require_uppercase": true,
  "password_require_lowercase": true,
  "password_require_number": true,
  "password_require_special": true
}

2. Rate Limiting¶

Prevent brute force attacks:

# 5 failed attempts per 5 minutes
{
  "login_attempts_limit": 5,
  "login_attempts_window": 300
}

API Security¶

1. Validate All Inputs¶

from pydantic import BaseModel, EmailStr, constr

class UserCreate(BaseModel):
    email: EmailStr
    password: constr(min_length=8)

2. Check Scopes¶

def require_scope(scope: str):
    def checker(user: UserData):
        if scope not in user.scopes:
            raise HTTPException(status_code=403)
        return user
    return checker

3. Validate Workspace¶

# Always filter by workspace
projects = db.projects.find({
    "workspace_id": user.workspace_id
})

Infrastructure Security¶

1. Secure MongoDB¶

# Enable authentication
mongod --auth

# Use TLS
mongod --tlsMode requireTLS

2. Secure Redis¶

# Require password
requirepass YOUR_STRONG_PASSWORD

# Bind to localhost only
bind 127.0.0.1

3. Network Isolation¶

# Docker network isolation
networks:
  frontend:
    # Exposed to internet
  backend:
    internal: true  # Not exposed

Monitoring¶

1. Log Security Events¶

logger.warning(
    "Failed login attempt",
    identifier=identifier,
    ip=request.client.host,
    user_agent=request.headers.get("user-agent")
)

2. Alert on Anomalies¶

Multiple failed logins
Logins from new locations
Unusual API usage patterns

3. Regular Audits¶

# Review active sessions
GET /api/sso/v1/sessions

# Review API keys
GET /api/sso/v1/apikeys

# Review user permissions
GET /api/sso/v1/users

Compliance¶

Allow users to export data
Implement right to be forgotten
Log all data access

SOC 2¶

Encrypt data at rest
Encrypt data in transit
Regular security audits
Access logging

Learn more →