Durabull Documentation

Security and Hardening

Security checklist and operational hardening guidance for production Durabull deployments.

Critical Baseline

  • Run authenticated mode for internet-facing deployments.
  • Use strong BETTER_AUTH_SECRET.
  • Set DURABULL_REDIS_URL_ENCRYPTION_KEY to a 32-byte random value (openssl rand -hex 32).
  • Enforce HTTPS at edge/load balancer.
  • Keep APP_BASE_URL and VITE_PUBLIC_APP_URL accurate and consistent.

Authless Mode Safety

Authless mode should be treated as trusted-admin mode.

If authless is enabled:

  • restrict access by private network controls
  • avoid direct public ingress
  • add external auth/VPN/IP allow-listing at perimeter

Connection URL Safety

Durabull validates Redis URLs and restricts unsafe patterns during connection create/test workflows.

Operational guidance:

  • grant connection management permissions sparingly
  • separate staging and production Redis credentials
  • run bun tooling/scripts/encrypt-redis-connection-urls.ts before rollout if any legacy plaintext rows exist
  • startup fails fast if encrypted rows cannot be decrypted with the configured key

API Protection

Built-in controls include:

  • secure headers
  • CORS policy
  • request body size limit (1MB)
  • in-memory rate limiting when NODE_ENV=production

MCP (/mcp)

Durabull's hosted MCP endpoint adds layered read protections (enforced when NODE_ENV=production):

  • Ingress rate limit: 120 HTTP requests/minute per bearer token, or per cf-connecting-ip / x-real-ip when unauthenticated (not X-Forwarded-For) on all /mcp traffic
  • Per-tool rate limit: 60 calls/minute per tool name by default; 30/minute for get_job_logs, get_job_stacktraces, get_failure_events, get_queue_metrics, explain_job_failure
  • Output redaction: central sanitizer removes Redis URLs, credential-like keys, and bearer tokens from tool payloads
  • Audit events: every MCP tool call records principal, tool, input hash, and outcome in mcp_audit_event
  • Structured telemetry: JSON mcp_telemetry logs for policy denies, rate limits, and tool outcomes (auth failures: use HTTP access logs until auth telemetry is wired)

See MCP Server for scopes, tools, and client setup. Operators: MCP operations runbook.

If running multiple API replicas, consider moving rate limits to a shared backend.

Secrets Handling

  • never commit .env with real secrets
  • rotate OAuth and auth secrets periodically
  • use platform secret stores (Render/Railway/Kubernetes secrets)

Data Plane and Network

  • prefer private Redis/Postgres connectivity
  • limit Redis exposure to trusted subnets
  • monitor unusual connection test or auth bursts

Screenshot placeholder: security checklist screenshot for runbooks.

Environment Variables

Complete runtime environment variable reference for local and production Durabull deployments.

Cloud vs Self-Hosted

Choose between Durabull Cloud and open-source self-hosted deployment based on team constraints.

On this page

Critical BaselineAuthless Mode SafetyConnection URL SafetyAPI ProtectionMCP (/mcp)Secrets HandlingData Plane and Network