From aff63479f22d5c7279c2fc10032bab32f3f42c7a Mon Sep 17 00:00:00 2001 From: KakiFilem Team Date: Thu, 5 Feb 2026 19:51:43 +0800 Subject: [PATCH] docs: move security guidance to SECURITY.md --- README.md | 22 ++-------------------- SECURITY.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 20 deletions(-) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index a48cbf1..990202f 100644 --- a/README.md +++ b/README.md @@ -265,26 +265,6 @@ Run `pg-r2-backup schedule` at any time to see scheduling examples. --- -## 🔐 Security - -- **Do not expose PostgreSQL directly to the public internet.** - If your database is not on a private network, use a secure tunnel instead. - -- **Recommended: Cloudflare Tunnel** - When using a public database URL, it is strongly recommended to connect via a secure tunnel such as **Cloudflare Tunnel** rather than opening database ports. - -- **Protect credentials** - Store all secrets (database URLs, R2 keys, encryption passwords) using environment variables. - Never commit `.env` files to version control. - -- **Encrypted backups (optional)** - Set `BACKUP_PASSWORD` to enable encrypted backups using 7z before uploading to S3-compatible storage. - -- **Least privilege access** - Use a PostgreSQL user with read-only access where possible, and restrict R2 credentials to the required bucket only. - ---- - ## 🛠 Development & Contributions Fork this repository **only if you plan to**: @@ -296,6 +276,8 @@ Fork this repository **only if you plan to**: --- +## For security best practices and deployment recommendations, see [SECURITY.md](SECURITY.md). + ## ❓ FAQ **Why only DATABASE_URL?** diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..0e4335c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,48 @@ +# 🔐 Security Policy + +## Database Exposure + +This project does **not** require PostgreSQL to be exposed to the public internet. + +- Never open PostgreSQL port `5432` directly without strict firewall rules. +- Prefer private networking whenever possible. + +## Managed Databases + +Managed PostgreSQL providers (e.g. Supabase, Neon, AWS RDS, Google Cloud SQL) +use public hostnames but secure connections via TLS, authentication, and network controls. +These are safe to use without any tunnel. + +## Self-hosted Databases + +If you run PostgreSQL on your own server and cannot place it on a private network, +use a secure tunnel such as: +- Cloudflare Tunnel +- SSH tunneling +- VPN (WireGuard, Tailscale, etc.) + +Do **not** expose database ports directly to the internet. + +## Credentials & Secrets + +- Store all secrets (database URLs, R2 access keys, encryption passwords) + in environment variables. +- Never commit `.env` files or credentials to version control. + +## Encrypted Backups (Optional) + +Set `BACKUP_PASSWORD` to enable encrypted backups before uploading +to S3-compatible storage. + +## Least Privilege + +- Use a PostgreSQL user with read-only permissions where possible. +- Restrict Cloudflare R2 credentials to the required bucket only. + +## Reporting Security Issues + +If you discover a security vulnerability, please report it responsibly. +Do **not** open a public issue with sensitive details. + +> This document describes recommended security practices; exact requirements depend on your deployment environment. +