OpenQAOpenQA
Deployment

Security Guide

Best practices for securing your OpenQA deployment in production.

⚠️ Important

OpenQA has access to your application and can execute tests. Proper security configuration is critical.

Authentication

OpenQA uses JWT-based authentication with httpOnly cookies:

  • First-time setup: Create admin account at /setup
  • Login: Authenticate at /login
  • Session: JWT stored in httpOnly cookie (7 days)
  • Roles: Admin and User roles with different permissions

JWT Secret

Generate a strong secret for production:

bash
1# Generate a 64-character hex secret
2openssl rand -hex 32
3 
4# Set in environment
5OPENQA_JWT_SECRET=your-generated-secret

🔑 Secret Requirements

  • • Minimum 32 characters (64 recommended)
  • • Use cryptographically random generation
  • • Never commit to version control
  • • Rotate periodically

Never Disable Authentication

bash
1# ❌ NEVER do this in production
2OPENQA_AUTH_DISABLED=true
3 
4# ✅ Always keep authentication enabled
5OPENQA_AUTH_DISABLED=false  # or just don't set it

HTTPS / SSL

Always use HTTPS in production:

Using Certbot (Let's Encrypt)

bash
1# Install Certbot
2sudo apt install certbot
3 
4# Get certificate
5sudo certbot certonly --standalone -d your-domain.com
6 
7# Certificates are stored at:
8# /etc/letsencrypt/live/your-domain.com/fullchain.pem
9# /etc/letsencrypt/live/your-domain.com/privkey.pem

Nginx SSL Configuration

bash
1server {
2    listen 443 ssl http2;
3    server_name your-domain.com;
4 
5    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
6    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
7 
8    # Modern SSL configuration
9    ssl_protocols TLSv1.2 TLSv1.3;
10    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
11    ssl_prefer_server_ciphers off;
12 
13    # Security headers
14    add_header X-Frame-Options "SAMEORIGIN" always;
15    add_header X-Content-Type-Options "nosniff" always;
16    add_header X-XSS-Protection "1; mode=block" always;
17    add_header Strict-Transport-Security "max-age=31536000" always;
18 
19    location / {
20        proxy_pass http://localhost:4242;
21        proxy_http_version 1.1;
22        proxy_set_header Upgrade $http_upgrade;
23        proxy_set_header Connection "upgrade";
24        proxy_set_header Host $host;
25        proxy_set_header X-Real-IP $remote_addr;
26    }
27}

Rate Limiting

OpenQA includes built-in rate limiting:

  • Global API: 300 requests/minute per IP
  • Mutations: 30 requests/minute (start, stop, login)
  • Login: 5 attempts before lockout

CORS Configuration

bash
1# Restrict to specific origins
2CORS_ORIGINS=https://your-domain.com,https://admin.your-domain.com
3 
4# Or allow all (not recommended for production)
5CORS_ORIGINS=*

Firewall Rules

bash
1# Allow only HTTP/HTTPS
2sudo ufw allow 80/tcp
3sudo ufw allow 443/tcp
4sudo ufw allow 22/tcp  # SSH
5sudo ufw enable
6 
7# Block direct access to OpenQA port (use Nginx proxy)
8sudo ufw deny 4242/tcp

Environment Security

  • Set NODE_ENV=production to enable security features
  • Never expose .env files publicly
  • Use environment variables or secrets management
  • Rotate API keys periodically

Security Checklist

  • Strong OPENQA_JWT_SECRET (64+ chars)
  • Strong admin password (12+ chars, mixed)
  • HTTPS enabled with valid SSL certificate
  • NODE_ENV=production
  • OPENQA_AUTH_DISABLED is NOT set to true
  • CORS origins restricted
  • Firewall configured (ports 80, 443 only)
  • Regular backups configured
  • API keys stored securely (not in code)
  • Monitoring and alerting enabled

Incident Response

If you suspect a security breach:

  1. Immediately rotate OPENQA_JWT_SECRET
  2. Change all admin passwords
  3. Rotate LLM API keys
  4. Review access logs
  5. Check for unauthorized configuration changes