This document provides guidelines for securely deploying and maintaining a VeriMed API instance.
Never commit your .env file to version control. Use a secrets manager (HashiCorp Vault, AWS Secrets Manager, or Kubernetes Secrets) for production.
Generate unique, high-entropy keys for:
API_KEY: X-API-KEY header protectionJWT_SECRET: Admin session security
Example using OpenSSL:
openssl rand -base64 32VeriMed uses Bcrypt for password hashing. DO NOT store plain-text passwords in your environment variables.
- Generate a secure password.
- Create a hash:
npm run hash-password your-secure-password - Store the resulting hash in
ADMIN_PASS.
Always run the API behind a reverse proxy (Nginx, Caddy, Traefik) that enforces HTTPS/TLS termination.
Restrict CORS origins to your trusted frontend domains:
CORS_ORIGINS=https://app.verimed-client.com,https://admin.verimed-client.com
VeriMed performs magic-number validation on all uploads to prevent MIME spoofing. Only JPEG, PNG, WEBP, and PDF files are allowed.
Monitor the advisories and keep your dependencies updated:
npm update