This guide covers essential security measures that MUST be implemented before deploying MCP Pointer to production.

# Copy the template
cp env.template .env

# Edit with your secure values
nano .env

# JWT Secret (CRITICAL - Generate a strong secret!)
JWT_SECRET=your-super-secret-jwt-key-change-this-in-production

# Default Admin Password (CHANGE THIS!)
DEFAULT_ADMIN_PASSWORD=admin123

# AI API Keys (if using external services)
CLAUDE_API_KEY=your-claude-api-key-here

# Generate a cryptographically secure secret
node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"

# Or use OpenSSL
openssl rand -hex 64

• All secrets moved to environment variables
• .env file added to .gitignore
• No hardcoded passwords in code
• JWT secret is cryptographically secure (64+ characters)
• Default admin password changed

• Database file permissions set to 600 (owner read/write only)
• Database backups encrypted
• Regular security updates applied
• Database access restricted to application only

• HTTPS enabled in production
• CORS origins restricted to known domains
• Rate limiting configured
• Firewall rules applied
• WebRTC connections secured

• Input validation on all endpoints
• SQL injection prevention (parameterized queries)
• XSS protection enabled
• CSRF protection implemented
• Security headers configured

• ❌ Hardcoded JWT secrets
• ❌ Default passwords in source code
• ❌ Test files with credentials
• ❌ API keys in documentation
• ❌ Database passwords in config

• ✅ Environment variable validation
• ✅ Secure password hashing (bcrypt)
• ✅ JWT token expiration
• ✅ Rate limiting
• ✅ Input sanitization
• ✅ Error handling without information leakage

# Create production environment
cp env.template .env.production

# Generate secure secrets
JWT_SECRET=$(openssl rand -hex 64)
echo "JWT_SECRET=$JWT_SECRET" >> .env.production

# Set secure admin password
echo "DEFAULT_ADMIN_PASSWORD=$(openssl rand -base64 32)" >> .env.production

# Set secure database permissions
chmod 600 data/mcp-pointer.db
chown app:app data/mcp-pointer.db

# Create backup with encryption
tar -czf backup-$(date +%Y%m%d).tar.gz data/
gpg --symmetric backup-$(date +%Y%m%d).tar.gz

# Run with production environment
NODE_ENV=production bun run start

# Or use PM2 for process management
pm2 start start-server.ts --name mcp-pointer --env production

• .env files
• Database files (.db, .sqlite)
• Private keys (.key, .pem)
• Test files with credentials
• Log files with sensitive data

• Default passwords
• Weak JWT secrets
• HTTP (use HTTPS)
• Wide-open CORS
• Debug logging

• Database connection strings
• API keys in client-side code
• Internal network addresses
• Error details to users

• Failed login attempts
• Invalid token usage
• Rate limit violations
• Database access errors
• WebRTC connection failures

• Rotate JWT secrets monthly
• Update dependencies weekly
• Review access logs daily
• Backup database daily
• Test security measures monthly

1. Immediately rotate all secrets
2. Invalidate all active tokens
3. Review access logs
4. Update all passwords
5. Notify users if necessary

# Rotate JWT secret
JWT_SECRET=$(openssl rand -hex 64)
# Restart server with new secret

# Reset admin password
# Update database directly or re-seed

For security issues or questions:

• Review this guide thoroughly
• Check the deployment documentation
• Test in staging environment first
• Monitor logs for suspicious activity

Remember: Security is an ongoing process, not a one-time setup! 🔒