Security Checklist¶
Security hardening checklist for JDX Odoo production deployment.
Pre-Deployment Checklist¶
Infrastructure¶
- Server firewall configured (only 80/443 open)
- SSH key-only authentication (password disabled)
- SSH on non-standard port (optional)
- Fail2ban installed and configured
- Automatic security updates enabled
SSL/TLS¶
- SSL certificate installed (Let's Encrypt)
- Auto-renewal configured
- HTTP redirects to HTTPS
- HSTS header enabled
- TLS 1.2+ only (disable older protocols)
Database¶
- RDS in private subnet (no public access)
- Strong database password (32+ chars)
- Database encrypted at rest
- Database backups encrypted
- Connection via SSL
Odoo Application¶
-
admin_passwdset to strong value -
list_db = Falsein production -
proxy_mode = Trueconfigured - Debug mode disabled
- Default admin password changed
Docker¶
- Images from official sources
- No containers running as root
- Read-only volumes where possible
- Resource limits configured
- Docker socket not exposed
Secrets Management¶
- No secrets in code/repos
- Secrets in environment variables
- Consider AWS Secrets Manager
- API keys rotated periodically
- .env files not in git
Network Security¶
Firewall Rules¶
# Allow SSH (consider non-standard port)
ufw allow 22/tcp
# Allow HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp
# Enable firewall
ufw enable
Security Groups (AWS)¶
| Type | Port | Source | Description |
|---|---|---|---|
| SSH | 22 | Your IP | Admin access |
| HTTP | 80 | 0.0.0.0/0 | Web traffic |
| HTTPS | 443 | 0.0.0.0/0 | Secure web |
| PostgreSQL | 5432 | App SG only | Database |
Nginx Security Headers¶
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;
# Hide server version
server_tokens off;
Access Control¶
User Management¶
- Remove default users
- Implement least privilege
- Review user access quarterly
- Disable inactive accounts (90 days)
- Audit login attempts
API Security¶
- API keys rotated every 90 days
- Rate limiting configured
- IP whitelisting for sensitive endpoints
- JWT tokens with short expiry
- Log all API access
Monitoring Security¶
Log Collection¶
- All logs shipped to central location
- Log retention: 90 days minimum
- Alerts for suspicious activity
- Regular log review
Alerts to Configure¶
| Event | Severity | Action |
|---|---|---|
| Failed login (5+ attempts) | High | Alert + Block IP |
| Admin login from new IP | Medium | Alert |
| Large data export | Medium | Alert |
| Service restart | Low | Log |
| SSL cert expiring | High | Alert |
Backup Security¶
- Backups encrypted at rest
- Backups in separate AWS account (optional)
- Backup access logged
- Regular restore testing
- Offline backup copy (quarterly)
Incident Response¶
Contact List¶
| Role | Contact | Phone |
|---|---|---|
| Primary Admin | TBD | TBD |
| Backup Admin | TBD | TBD |
| Security Lead | TBD | TBD |
Response Steps¶
- Identify - Confirm incident
- Contain - Isolate affected systems
- Eradicate - Remove threat
- Recover - Restore services
- Learn - Post-incident review
Compliance¶
Data Protection¶
- PII identified and documented
- Data retention policy defined
- Data export capability
- Right to deletion implemented
Audit Trail¶
- All changes logged
- Logs tamper-evident
- Access to logs restricted
- Audit log retention: 1 year
Quarterly Security Review¶
- Review all user access
- Rotate API keys
- Test backup restoration
- Review security alerts
- Update dependencies
- Penetration test (annual)