Security
Temps provides enterprise-grade security features to protect your applications and data. This guide covers security configuration, firewall rules, and hardening best practices.
Authentication & Authorization
Temps supports multiple authentication methods and role-based access control (RBAC) to secure your platform.
Authentication Methods
- Name
Email/Password- Description
Standard email and password authentication with Argon2 password hashing for secure storage.
- Name
Magic Links- Description
Passwordless authentication via email-based magic links for enhanced security and user experience.
- Name
OAuth- Description
GitHub and GitLab OAuth integration for seamless repository access and authentication.
- Name
API Keys- Description
Long-lived tokens for programmatic access, securely hashed with Argon2.
- Name
2FA/MFA- Description
TOTP-based two-factor authentication with QR code setup for additional account security.
- Name
JWT Tokens- Description
Bearer tokens for API requests with secure session management.
Role-Based Access Control (RBAC)
Temps includes granular permission management with built-in roles and 20+ permissions:
Built-in Roles:
admin- Full platform accessdeveloper- Project and deployment managementviewer- Read-only access
Granular Permissions:
- Projects: Read, Create, Update, Delete
- Deployments: Read, Create, Update, Delete
- Domains: Read, Create, Update, Delete
- Analytics: Read
- Error Tracking: Read
- Monitoring: Read, Write
- Backups: Read, Write
- Settings: Read, Write
- API Keys: Read, Create, Update, Delete
- Users: Read, Create, Update, Delete
Configure User Permissions
# Assign role to user
temps user assign-role --email user@example.com --role developer
# List user permissions
temps user permissions --email user@example.com
Firewall Configuration
Temps includes built-in firewall features to control access and prevent abuse through IP filtering and rate limiting.
IP Address Management
Control access to your Temps instance and deployments using IP allowlists and blocklists.
Blocked IP Addresses
Block specific IP addresses or CIDR ranges from accessing your platform:
Configure Blocked IPs
# config/settings.yml
security:
firewall:
enabled: true
blocked_ips:
- "192.168.1.100"
- "10.0.0.0/8"
- "172.16.0.0/12"
- "203.0.113.0/24"
Allowed IP Addresses
Restrict access to specific IP addresses (whitelist mode):
Configure Allowed IPs
# config/settings.yml
security:
firewall:
enabled: true
whitelist_mode: true
allowed_ips:
- "203.0.113.0/24" # Office network
- "198.51.100.10" # VPN gateway
- "192.0.2.50" # Admin workstation
Rate Limiting
Protect your platform from abuse with configurable rate limiting per project and path.
Global Rate Limits
Configure platform-wide rate limiting:
- Requests per minute
- Requests per hour
- Per-IP limits
- Per-project limits
Path-Specific Limits
Fine-grained control per route:
- API endpoints
- Authentication routes
- Static assets
- Custom paths
Configure Rate Limiting
# config/settings.yml
security:
rate_limiting:
enabled: true
max_requests_per_minute: 60
max_requests_per_hour: 1000
# Path-specific limits
paths:
- path: "/api/*"
requests_per_minute: 30
requests_per_hour: 500
- path: "/auth/*"
requests_per_minute: 10
requests_per_hour: 100
- path: "/webhooks/*"
requests_per_minute: 100
requests_per_hour: 2000
# IP whitelist (bypass rate limits)
whitelist_ips:
- "203.0.113.0/24"
- "198.51.100.10"
Rate Limit Headers:
Temps includes standard rate limit headers in API responses:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1640995200
Per-Project Rate Limiting
Each project can have custom rate limits independent of global settings:
Project Rate Limits
# Set rate limit for a project
temps project ratelimit --project my-app --per-minute 100
# Set rate limit for specific environment
temps project ratelimit --project my-app --env production --per-minute 200
Security Headers
Temps automatically configures security headers to protect against common web vulnerabilities.
Available Security Headers
- Name
Content-Security-Policy (CSP)- Description
Prevents XSS attacks by controlling which resources can be loaded. Configurable with custom directives.
- Name
X-Frame-Options- Description
Protects against clickjacking attacks. Default:
SAMEORIGIN
- Name
X-Content-Type-Options- Description
Prevents MIME type sniffing. Default:
nosniff
- Name
X-XSS-Protection- Description
Enables browser XSS protection. Default:
1; mode=block
- Name
Strict-Transport-Security (HSTS)- Description
Forces HTTPS connections. Default:
max-age=31536000; includeSubDomains
- Name
Referrer-Policy- Description
Controls referrer information. Default:
strict-origin-when-cross-origin
- Name
Permissions-Policy- Description
Controls browser features and APIs. Configurable per-project.
Configure Security Headers
Security Headers Configuration
# config/settings.yml
security:
headers:
enabled: true
preset: "strict" # Options: strict, moderate, permissive
# Custom CSP
content_security_policy: >
default-src 'self';
script-src 'self' 'unsafe-inline' https://cdn.example.com;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self' data:;
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
# Other headers
x_frame_options: "DENY"
x_content_type_options: "nosniff"
x_xss_protection: "1; mode=block"
strict_transport_security: "max-age=63072000; includeSubDomains; preload"
referrer_policy: "strict-origin-when-cross-origin"
permissions_policy: >
geolocation=(),
microphone=(),
camera=(),
payment=()
Security Header Presets
Strict (Recommended for Production)
CSP: default-src 'self'
X-Frame-Options: DENY
HSTS: max-age=63072000; includeSubDomains; preload
Referrer-Policy: no-referrer
Moderate (Development)
CSP: default-src 'self' 'unsafe-inline'
X-Frame-Options: SAMEORIGIN
HSTS: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
Secrets Management
Temps provides secure storage and management of sensitive data like API keys, tokens, and passwords.
Encrypted Environment Variables
All environment variables containing sensitive data are encrypted at rest using AES-256-GCM:
Manage Secrets
# Add encrypted environment variable
temps env set --project my-app --key API_KEY --value "secret-key" --encrypted
# Set multiple secrets from file
temps env import --project my-app --file .env.production --encrypted
# View secrets (decrypted, requires admin permission)
temps env list --project my-app --show-secrets
API Key Management
- Name
Scoped Access- Description
Create API keys with specific permissions (read-only, deploy-only, admin).
- Name
Expiration- Description
Set expiration dates for temporary access.
- Name
Rotation- Description
Regularly rotate API keys with zero downtime.
- Name
Audit Trail- Description
Track all API key usage in audit logs.
API Key Management
# Create scoped API key
temps api-key create --name "CI/CD Key" --scopes "deployments:create,projects:read"
# Create key with expiration
temps api-key create --name "Temp Key" --expires-in 30d
# Rotate API key
temps api-key rotate --key-id abc123
# Revoke API key
temps api-key revoke --key-id abc123
Audit Logging
Temps maintains comprehensive audit logs of all security-relevant events for compliance and forensics.
Logged Events
- Name
Authentication Events- Description
Login, logout, failed login attempts, password changes, MFA enable/disable
- Name
Authorization Changes- Description
Role assignments, permission grants, access denials
- Name
Resource Operations- Description
Project/deployment/domain create/update/delete operations
- Name
Security Events- Description
API key creation/rotation/revocation, secret access, firewall rule changes
- Name
Settings Changes- Description
Configuration updates, security policy changes
Audit Log Format
Each audit log entry includes:
{
"timestamp": "2024-01-15T10:30:00Z",
"userId": "user-123",
"userEmail": "admin@example.com",
"ipAddress": "203.0.113.50",
"userAgent": "Mozilla/5.0...",
"operation": "DEPLOYMENT_CREATE",
"resourceType": "deployment",
"resourceId": "deploy-456",
"description": "Created deployment for project 'my-app'",
"metadata": {
"projectId": "my-app",
"environment": "production",
"gitBranch": "main"
},
"result": "success"
}
Query Audit Logs
# View recent audit logs
temps audit logs --limit 50
# Filter by user
temps audit logs --user admin@example.com
# Filter by operation type
temps audit logs --operation DEPLOYMENT_CREATE
# Export logs for compliance
temps audit export --start-date 2024-01-01 --end-date 2024-12-31 --format json
TLS/SSL Configuration
Temps provides automatic TLS certificate management with Let's Encrypt and support for custom certificates.
Automatic TLS with Let's Encrypt
- Name
Zero Configuration- Description
Automatic certificate provisioning and renewal for all domains
- Name
Wildcard Support- Description
Supports wildcard certificates with DNS-01 challenge
- Name
Auto Renewal- Description
Certificates automatically renewed 30 days before expiration
- Name
Multiple Domains- Description
Single certificate for multiple domains and subdomains
TLS Configuration
# Enable automatic TLS for domain
temps domain add --domain example.com --tls auto
# Force certificate renewal
temps domain renew-cert --domain example.com
# Check certificate status
temps domain cert-status --domain example.com
Custom TLS Certificates
Upload your own certificates for custom CA or special requirements:
Custom Certificates
# Upload custom certificate
temps domain upload-cert \
--domain example.com \
--cert ./cert.pem \
--key ./private-key.pem \
--chain ./chain.pem
TLS Best Practices
Recommended TLS Configuration:
- Use TLS 1.2 and 1.3 only
- Disable weak cipher suites
- Enable HSTS with preload
- Use OCSP stapling
- Implement certificate pinning for mobile apps
Best Practices
Follow these security best practices for production deployments:
Infrastructure Security
Network Isolation
- Use private networks for database connections
- Implement VPC/subnet isolation
- Configure firewall rules at network level
- Use VPN for administrative access
Access Control
- Enable MFA for all admin accounts
- Use API keys instead of passwords for automation
- Implement least-privilege principle
- Regularly audit user permissions
Application Security
Secrets Management
- Never commit secrets to git
- Use encrypted environment variables
- Rotate secrets regularly
- Use separate secrets per environment
Dependencies
- Keep Temps and dependencies updated
- Run security scans on dependencies
- Enable automated security updates
- Review security advisories regularly
Monitoring & Response
Security Monitoring
- Enable audit logging
- Monitor failed login attempts
- Set up alerts for suspicious activity
- Review logs regularly
Incident Response
- Have incident response plan
- Enable automatic backups
- Test disaster recovery procedures
- Document security procedures
Compliance
- Name
GDPR- Description
Enable audit logging, implement data retention policies, provide user data export
- Name
SOC 2- Description
Configure audit logs, enable MFA, implement access controls, maintain security documentation
- Name
HIPAA- Description
Enable encryption at rest and in transit, implement audit logging, use BAA-compliant infrastructure
- Name
PCI DSS- Description
Implement network segmentation, enable security headers, use strong authentication, maintain audit logs
Security Checklist
Production Deployment Checklist:
- Enable MFA for all admin accounts
- Configure firewall rules (IP allowlist/blocklist)
- Enable rate limiting
- Apply strict security headers preset
- Enable automatic TLS with HSTS
- Configure encrypted environment variables
- Enable audit logging
- Set up security monitoring and alerts
- Implement backup strategy
- Document security procedures
- Review and update dependencies
- Perform security audit